#![allow(clippy::too_many_lines)]
use super::super::super::types::{
ArtifactDescriptor, ArtifactType, DataScope, Decoder, OsScope, TriagePriority,
};
pub(crate) static EVTX_APPLICATION: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_application",
name: "Application",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Application.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Application'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DFSN_SERVERFILTER_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_dfsn_serverfilter_analytic",
name: "Microsoft-Windows-DFSN-ServerFilter/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DFSN-ServerFilter\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DFSN-ServerFilter/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DFSN_SERVERSERVICE_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_dfsn_serverservice_analytic",
name: "Microsoft-Windows-DFSN-ServerService/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DFSN-ServerService\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DFSN-ServerService/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_ANALYTIC_CHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_analytic_channel",
name: "Analytic Channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Analytic Channel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Analytic Channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_IALPSS_GPIO2_DEBUG_CHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_ialpss_gpio2_debug_channel",
name: "iaLPSS_GPIO2 Debug channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\iaLPSS_GPIO2 Debug channel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'iaLPSS_GPIO2 Debug channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_IALPSS_GPIO2_PERFORMANCE_CHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_ialpss_gpio2_performance_channel",
name: "iaLPSS_GPIO2 Performance channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\iaLPSS_GPIO2 Performance channel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'iaLPSS_GPIO2 Performance channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_IALPSS2_I2C_DEBUG_CHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_ialpss2_i2c_debug_channel",
name: "iaLPSS2_I2C Debug channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\iaLPSS2_I2C Debug channel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'iaLPSS2_I2C Debug channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_IALPSS2_I2C_PERFORMANCE_CHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_ialpss2_i2c_performance_channel",
name: "iaLPSS2_I2C Performance channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\iaLPSS2_I2C Performance channel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'iaLPSS2_I2C Performance channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_operational",
name: "Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_diagnostic",
name: "Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_LSA_PERFORMANCE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_lsa_performance",
name: "Microsoft-Windows-LSA/Performance",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-LSA\\Performance.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-LSA/Performance'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_AMSI_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_amsi_debug",
name: "AMSI/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\AMSI\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'AMSI/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_AMSI_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_amsi_operational",
name: "AMSI/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\AMSI\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'AMSI/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_UAC_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_uac_debug",
name: "Uac/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Uac\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Uac/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_APPV_CLIENT_STREAMINGUX_DEBUG: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_appv_client_streamingux_debug",
name: "Microsoft-AppV-Client-Streamingux/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-AppV-Client-Streamingux\\Debug.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-AppV-Client-Streamingux/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_ADMIN: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_admin",
name: "Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Admin.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_VIRTUAL_APPLICATIONS: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_virtual_applications",
name: "Virtual Applications",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Virtual Applications.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Virtual Applications'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_APPV_CLIENT_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_appv_client_debug",
name: "Microsoft-AppV-Client/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-AppV-Client\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-AppV-Client/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_APPV_SHAREDPERFORMANCE_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_appv_sharedperformance_analytic",
name: "Microsoft-AppV-SharedPerformance/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-AppV-SharedPerformance\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-AppV-SharedPerformance/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_CLIENT_LICENSE_FLEXIBLE_PLATFORM_ADMIN: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_client_license_flexible_platform_admin",
name: "Microsoft-Client-License-Flexible-Platform/Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Client-License-Flexible-Platform\\Admin.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Client-License-Flexible-Platform/Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_CLIENT_LICENSING_PLATFORM_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_client_licensing_platform_diagnostic",
name: "Microsoft-Client-Licensing-Platform/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Client-Licensing-Platform\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Client-Licensing-Platform/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_CLIENT_LICENSING_PLATFORM_ADMIN: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_client_licensing_platform_admin",
name: "Microsoft-Client-Licensing-Platform/Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Client-Licensing-Platform\\Admin.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Client-Licensing-Platform/Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_STORE_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_store_operational",
name: "Microsoft-Windows-Store/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Store\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Store/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_WEBPLATSTORAGE_SERVER: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_webplatstorage_server",
name: "Microsoft-Windows-WebPlatStorage-Server",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-WebPlatStorage-Server.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-WebPlatStorage-Server'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_INDEXEDDB_SERVER: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_indexeddb_server",
name: "Microsoft-Windows-IndexedDB-Server",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-IndexedDB-Server.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-IndexedDB-Server'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_IEDVTOOL_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_iedvtool_diagnostic",
name: "Microsoft-IEDVTOOL/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-IEDVTOOL\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-IEDVTOOL/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_IEFRAME_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_ieframe_diagnostic",
name: "Microsoft-IEFRAME/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-IEFRAME\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-IEFRAME/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_ONECORE_SETUP_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_onecore_setup_analytic",
name: "Microsoft-OneCore-Setup/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-OneCore-Setup\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-OneCore-Setup/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_PEF_WFP_MESSAGEPROVIDER_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_pef_wfp_messageprovider_operational",
name: "Microsoft-Pef-WFP-MessageProvider/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Pef-WFP-MessageProvider\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Pef-WFP-MessageProvider/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_PERFTRACK_IEFRAME_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_perftrack_ieframe_diagnostic",
name: "Microsoft-PerfTrack-IEFRAME/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-PerfTrack-IEFRAME\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-PerfTrack-IEFRAME/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_PERFTRACK_MSHTML_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_perftrack_mshtml_diagnostic",
name: "Microsoft-PerfTrack-MSHTML/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-PerfTrack-MSHTML\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-PerfTrack-MSHTML/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_SERVERCORE_SHELLLAUNCHER_DEBUG: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_servercore_shelllauncher_debug",
name: "Microsoft-ServerCore-ShellLauncher/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-ServerCore-ShellLauncher\\Debug.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-ServerCore-ShellLauncher/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_SYSTEM_DIAGNOSTICS_DIAGNOSTICINVOKER_OPERATIO: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_system_diagnostics_diagnosticinvoker_operatio",
name: "Microsoft-System-Diagnostics-DiagnosticInvoker/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-System-Diagnostics-DiagnosticInvoker\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-System-Diagnostics-DiagnosticInvoker/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_USER_EXPERIENCE_VIRTUALIZATION_ADMIN_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_user_experience_virtualization_admin_debug",
name: "Microsoft-User Experience Virtualization-Admin/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-User Experience Virtualization-Admin\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-User Experience Virtualization-Admin/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_debug",
name: "Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_USER_EXPERIENCE_VIRTUALIZATION_APP_AGENT_DEBU: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_user_experience_virtualization_app_agent_debu",
name: "Microsoft-User Experience Virtualization-App Agent/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-User Experience Virtualization-App Agent\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-User Experience Virtualization-App Agent/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_analytic",
name: "Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WS_LICENSING_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_ws_licensing_diagnostic",
name: "Microsoft-WS-Licensing/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-WS-Licensing\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-WS-Licensing/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WS_LICENSING_ADMIN: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_ws_licensing_admin",
name: "Microsoft-WS-Licensing/Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-WS-Licensing\\Admin.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-WS-Licensing/Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WS_LICENSING_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_ws_licensing_debug",
name: "Microsoft-WS-Licensing/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-WS-Licensing\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-WS-Licensing/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_VPN_PLUGIN_PLATFORM_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_vpn_plugin_platform_operational",
name: "Microsoft-Windows-Vpn Plugin Platform/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Vpn Plugin Platform\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Vpn Plugin Platform/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_VPN_PLUGIN_PLATFORM_OPERATIONALVERBOS: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_vpn_plugin_platform_operationalverbos",
name: "Microsoft-Windows-Vpn Plugin Platform/OperationalVerbose",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Vpn Plugin Platform\\OperationalVerbose.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Vpn Plugin Platform/OperationalVerbose'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_AAD_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_aad_analytic",
name: "Microsoft-Windows-AAD/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-AAD\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-AAD/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_AAD_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_aad_operational",
name: "Microsoft-Windows-AAD/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-AAD\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-AAD/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_ADSI_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_adsi_debug",
name: "Microsoft-Windows-ADSI/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-ADSI\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-ADSI/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_API_TRACING_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_api_tracing_operational",
name: "Microsoft-Windows-API-Tracing/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-API-Tracing\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-API-Tracing/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_ASN1_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_asn1_operational",
name: "Microsoft-Windows-ASN1/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-ASN1\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-ASN1/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_ATAPORT_SATA_LPM: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_ataport_sata_lpm",
name: "Microsoft-Windows-ATAPort/SATA-LPM",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-ATAPort\\SATA-LPM.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-ATAPort/SATA-LPM'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_ATAPORT_GENERAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_ataport_general",
name: "Microsoft-Windows-ATAPort/General",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-ATAPort\\General.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-ATAPort/General'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_STORAGE_ATAPORT_DIAGNOSE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_storage_ataport_diagnose",
name: "Microsoft-Windows-Storage-ATAPort/Diagnose",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Storage-ATAPort\\Diagnose.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Storage-ATAPort/Diagnose'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_STORAGE_ATAPORT_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_storage_ataport_analytic",
name: "Microsoft-Windows-Storage-ATAPort/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Storage-ATAPort\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Storage-ATAPort/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_ACCELLIB_ACCELCX_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_accellib_accelcx_operational",
name: "Microsoft-Windows-AccelLib-AccelCx/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-AccelLib-AccelCx\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-AccelLib-AccelCx/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_ACTIONQUEUE_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_actionqueue_analytic",
name: "Microsoft-Windows-ActionQueue/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-ActionQueue\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-ActionQueue/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_ALTTAB_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_alttab_diagnostic",
name: "Microsoft-Windows-AltTab/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-AltTab\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-AltTab/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_ANYTIME_UPGRADE_EVENTS_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_anytime_upgrade_events_operational",
name: "Microsoft-Windows-Anytime-Upgrade-Events/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Anytime-Upgrade-Events\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Anytime-Upgrade-Events/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_ANYTIME_UPGRADE_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_anytime_upgrade_analytic",
name: "Microsoft-Windows-Anytime-Upgrade/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Anytime-Upgrade\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Anytime-Upgrade/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_APPHOST_INTERNAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_apphost_internal",
name: "Microsoft-Windows-AppHost/Internal",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-AppHost\\Internal.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-AppHost/Internal'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_APPHOST_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_apphost_diagnostic",
name: "Microsoft-Windows-AppHost/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-AppHost\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-AppHost/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_APPTRACING: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_apptracing",
name: "AppTracing",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\AppTracing.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'AppTracing'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_APPID_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_appid_operational",
name: "Microsoft-Windows-AppID/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-AppID\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-AppID/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_APPLOCKER_EXE_AND_DLL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_applocker_exe_and_dll",
name: "Microsoft-Windows-AppLocker/EXE and DLL",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-AppLocker\\EXE and DLL.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-AppLocker/EXE and DLL'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_APPLOCKER_MSI_AND_SCRIPT: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_applocker_msi_and_script",
name: "Microsoft-Windows-AppLocker/MSI and Script",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-AppLocker\\MSI and Script.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-AppLocker/MSI and Script'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_APPLOCKER_PACKAGED_APP_EXECUTION: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_applocker_packaged_app_execution",
name: "Microsoft-Windows-AppLocker/Packaged app-Execution",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-AppLocker\\Packaged app-Execution.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-AppLocker/Packaged app-Execution'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_APPLOCKER_PACKAGED_APP_DEPLOYMENT: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_applocker_packaged_app_deployment",
name: "Microsoft-Windows-AppLocker/Packaged app-Deployment",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-AppLocker\\Packaged app-Deployment.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-AppLocker/Packaged app-Deployment'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_APPLOCKER_VERBOSE: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_applocker_verbose",
name: "Microsoft-Windows-AppLocker/Verbose",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-AppLocker\\Verbose.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-AppLocker/Verbose'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PRIVACY_AUDITING_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_privacy_auditing_operational",
name: "Microsoft-Windows-Privacy-Auditing/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Privacy-Auditing\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Privacy-Auditing/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_APPMODEL_RUNTIME_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_appmodel_runtime_analytic",
name: "Microsoft-Windows-AppModel-Runtime/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-AppModel-Runtime\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-AppModel-Runtime/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_APPMODEL_RUNTIME_ADMIN: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_appmodel_runtime_admin",
name: "Microsoft-Windows-AppModel-Runtime/Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-AppModel-Runtime\\Admin.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-AppModel-Runtime/Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_APPMODEL_RUNTIME_DEBUG: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_appmodel_runtime_debug",
name: "Microsoft-Windows-AppModel-Runtime/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-AppModel-Runtime\\Debug.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-AppModel-Runtime/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_APPMODEL_RUNTIME_DIAGNOSTICS: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_appmodel_runtime_diagnostics",
name: "Microsoft-Windows-AppModel-Runtime/Diagnostics",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-AppModel-Runtime\\Diagnostics.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-AppModel-Runtime/Diagnostics'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_APPMODEL_STATE_DEBUG: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_appmodel_state_debug",
name: "Microsoft-Windows-AppModel-State/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-AppModel-State\\Debug.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-AppModel-State/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_APPMODEL_STATE_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_appmodel_state_diagnostic",
name: "Microsoft-Windows-AppModel-State/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-AppModel-State\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-AppModel-State/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_APPSRUPROV: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_appsruprov",
name: "Microsoft-Windows-AppSruProv",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-AppSruProv.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-AppSruProv'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_APPXDEPLOYMENTUNDOCKEDDEH_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_appxdeploymentundockeddeh_operational",
name: "AppxDeploymentUndockedDeh/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\AppxDeploymentUndockedDeh\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'AppxDeploymentUndockedDeh/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_APPXDEPLOYMENTSERVER_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_appxdeploymentserver_operational",
name: "Microsoft-Windows-AppXDeploymentServer/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-AppXDeploymentServer\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-AppXDeploymentServer/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_APPXDEPLOYMENTSERVER_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_appxdeploymentserver_debug",
name: "Microsoft-Windows-AppXDeploymentServer/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-AppXDeploymentServer\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-AppXDeploymentServer/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_APPXDEPLOYMENTSERVER_RESTRICTED: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_appxdeploymentserver_restricted",
name: "Microsoft-Windows-AppXDeploymentServer/Restricted",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-AppXDeploymentServer\\Restricted.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-AppXDeploymentServer/Restricted'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_APPXDEPLOYMENTSERVER_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_appxdeploymentserver_diagnostic",
name: "Microsoft-Windows-AppXDeploymentServer/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-AppXDeploymentServer\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-AppXDeploymentServer/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_APPXDEPLOYMENT_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_appxdeployment_operational",
name: "Microsoft-Windows-AppXDeployment/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-AppXDeployment\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-AppXDeployment/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_APPXDEPLOYMENT_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_appxdeployment_diagnostic",
name: "Microsoft-Windows-AppXDeployment/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-AppXDeployment\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-AppXDeployment/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_APPLICABILITYENGINE_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_applicabilityengine_analytic",
name: "Microsoft-Windows-ApplicabilityEngine/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-ApplicabilityEngine\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-ApplicabilityEngine/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_APPLICABILITYENGINE_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_applicabilityengine_operational",
name: "Microsoft-Windows-ApplicabilityEngine/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-ApplicabilityEngine\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-ApplicabilityEngine/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_APPLICATION_EXPERIENCE_PROGRAM_COMPAT: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_application_experience_program_compat",
name: "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Application-Experience\\Program-Compatibility-Assistant\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_APPLICATION_EXPERIENCE_PROGRAM_TELEME: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_application_experience_program_teleme",
name: "Microsoft-Windows-Application-Experience/Program-Telemetry",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Application-Experience\\Program-Telemetry.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Application-Experience/Program-Telemetry'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_APPLICATION_EXPERIENCE_STEPS_RECORDER: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_application_experience_steps_recorder",
name: "Microsoft-Windows-Application-Experience/Steps-Recorder",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Application-Experience\\Steps-Recorder.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Application-Experience/Steps-Recorder'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_APPLICATION_EXPERIENCE_PROBLEM_STEPS: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_application_experience_problem_steps",
name: "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Application-Experience\\Problem-Steps-Recorder.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Application-Experience/Problem-Steps-Recorder'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_APPLICATION_EXPERIENCE_PROGRAM_INVENT: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_application_experience_program_invent",
name: "Microsoft-Windows-Application-Experience/Program-Inventory",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Application-Experience\\Program-Inventory.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Application-Experience/Program-Inventory'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_APPLICATION_EXPERIENCE_COMPATIBILITY: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_application_experience_compatibility",
name: "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Application-Experience\\Compatibility-Infrastructure-Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_APPHELPCACHE_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_apphelpcache_analytic",
name: "Microsoft-Windows-Kernel-ApphelpCache/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-ApphelpCache\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-ApphelpCache/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_APPHELPCACHE_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_apphelpcache_operational",
name: "Microsoft-Windows-Kernel-ApphelpCache/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-ApphelpCache\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-ApphelpCache/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_APPHELPCACHE_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_apphelpcache_debug",
name: "Microsoft-Windows-Kernel-ApphelpCache/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-ApphelpCache\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-ApphelpCache/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_APPLICATIONRESOURCEMANAGEMENTSYSTEM_D: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_applicationresourcemanagementsystem_d",
name: "Microsoft-Windows-ApplicationResourceManagementSystem/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-ApplicationResourceManagementSystem/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_APPLICATIONRESOURCEMANAGEMENTSYSTEM_O: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_applicationresourcemanagementsystem_o",
name: "Microsoft-Windows-ApplicationResourceManagementSystem/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-ApplicationResourceManagementSystem/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_APPXPACKAGING_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_appxpackaging_operational",
name: "Microsoft-Windows-AppxPackaging/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-AppxPackaging\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-AppxPackaging/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_APPXPACKAGING_PERFORMANCE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_appxpackaging_performance",
name: "Microsoft-Windows-AppxPackaging/Performance",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-AppxPackaging\\Performance.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-AppxPackaging/Performance'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_ASSIGNEDACCESS_ADMIN: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_assignedaccess_admin",
name: "Microsoft-Windows-AssignedAccess/Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-AssignedAccess\\Admin.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-AssignedAccess/Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_ASSIGNEDACCESS_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_assignedaccess_operational",
name: "Microsoft-Windows-AssignedAccess/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-AssignedAccess\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-AssignedAccess/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_ASSIGNEDACCESSBROKER_ADMIN: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_assignedaccessbroker_admin",
name: "Microsoft-Windows-AssignedAccessBroker/Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-AssignedAccessBroker\\Admin.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-AssignedAccessBroker/Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_ASYNCHRONOUSCAUSALITY_CAUSALITY: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_asynchronouscausality_causality",
name: "Microsoft-Windows-AsynchronousCausality/Causality",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-AsynchronousCausality\\Causality.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-AsynchronousCausality/Causality'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_AUDIO_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_audio_operational",
name: "Microsoft-Windows-Audio/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Audio\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Audio/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_AUDIO_CAPTUREMONITOR: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_audio_capturemonitor",
name: "Microsoft-Windows-Audio/CaptureMonitor",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Audio\\CaptureMonitor.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Audio/CaptureMonitor'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_PERFORMANCE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_performance",
name: "Performance",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Performance.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Performance'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_AUDIO_PLAYBACKMANAGER: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_audio_playbackmanager",
name: "Microsoft-Windows-Audio/PlaybackManager",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Audio\\PlaybackManager.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Audio/PlaybackManager'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_AUDIO_GLITCHDETECTION: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_audio_glitchdetection",
name: "Microsoft-Windows-Audio/GlitchDetection",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Audio\\GlitchDetection.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Audio/GlitchDetection'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_AUDIO_INFORMATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_audio_informational",
name: "Microsoft-Windows-Audio/Informational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Audio\\Informational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Audio/Informational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_AUDIT_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_audit_analytic",
name: "Microsoft-Windows-Audit/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Audit\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Audit/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_AUTHENTICATION_PROTECTEDUSER_CLIENT: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_authentication_protecteduser_client",
name: "Microsoft-Windows-Authentication/ProtectedUser-Client",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Authentication\\ProtectedUser-Client.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Authentication/ProtectedUser-Client'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_AUTHENTICATION_PROTECTED_USER_CLIENT: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_authentication_protected_user_client",
name: "Microsoft-Windows-Authentication/Protected User-Client",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Authentication\\Protected User-Client.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Authentication/Protected User-Client'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_AXINSTALLSERVICE_LOG: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_axinstallservice_log",
name: "Microsoft-Windows-AxInstallService/Log",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-AxInstallService\\Log.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-AxInstallService/Log'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_BTH_BTHPORT_HCI: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_bth_bthport_hci",
name: "Microsoft-Windows-BTH-BTHPORT/HCI",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-BTH-BTHPORT\\HCI.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-BTH-BTHPORT/HCI'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_BTH_BTHPORT_L2CAP: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_bth_bthport_l2cap",
name: "Microsoft-Windows-BTH-BTHPORT/L2CAP",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-BTH-BTHPORT\\L2CAP.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-BTH-BTHPORT/L2CAP'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_BTH_BTHUSB_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_bth_bthusb_operational",
name: "Microsoft-Windows-BTH-BTHUSB/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-BTH-BTHUSB\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-BTH-BTHUSB/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_BTH_BTHUSB_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_bth_bthusb_diagnostic",
name: "Microsoft-Windows-BTH-BTHUSB/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-BTH-BTHUSB\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-BTH-BTHUSB/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_BTH_BTHUSB_PERFORMANCE: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_bth_bthusb_performance",
name: "Microsoft-Windows-BTH-BTHUSB/Performance",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-BTH-BTHUSB\\Performance.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-BTH-BTHUSB/Performance'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_BACKGROUNDTRANSFER_CONTENTPREFETCHER: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_backgroundtransfer_contentprefetcher",
name: "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-BackgroundTransfer-ContentPrefetcher\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_BACKUP_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_backup_operational",
name: "Microsoft-Windows-Backup/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Backup\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Backup/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_BFE_IPSEC_CONNECTIONS_OPERATIONAL_LOG: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_bfe_ipsec_connections_operational_log",
name: "BFE IPsec Connections Operational Log",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\BFE IPsec Connections Operational Log.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'BFE IPsec Connections Operational Log'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_BFE_IPSEC_CONNECTIONS_RESOURCE_FLOWS_OPERATIONAL_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_bfe_ipsec_connections_resource_flows_operational_log",
name: "BFE IPsec Connections' Resource Flows Operational Log",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\BFE IPsec Connections' Resource Flows Operational Log.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'BFE IPsec Connections' Resource Flows Operational Log'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_BASE_FILTERING_ENGINE_RESOURCE_FLOWS: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_base_filtering_engine_resource_flows",
name: "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Base-Filtering-Engine-Resource-Flows\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_BATTERY_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_battery_diagnostic",
name: "Microsoft-Windows-Battery/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Battery\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Battery/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_BIOMETRICS_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_biometrics_operational",
name: "Microsoft-Windows-Biometrics/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Biometrics\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Biometrics/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_BIOMETRICS_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_biometrics_analytic",
name: "Microsoft-Windows-Biometrics/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Biometrics\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Biometrics/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MANAGEMENT: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_management",
name: "Management",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Management.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Management'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_BITLOCKER_TRACING: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_bitlocker_tracing",
name: "Microsoft-Windows-BitLocker/Tracing",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-BitLocker\\Tracing.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-BitLocker/Tracing'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_BITLOCKER_DRIVEPREPARATIONTOOL_ADMIN: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_bitlocker_drivepreparationtool_admin",
name: "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-BitLocker-DrivePreparationTool\\Admin.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-BitLocker-DrivePreparationTool/Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_BITLOCKER_DRIVEPREPARATIONTOOL_OPERAT: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_bitlocker_drivepreparationtool_operat",
name: "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-BitLocker-DrivePreparationTool\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-BitLocker-DrivePreparationTool/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_BITLOCKER_DRIVER_PERFORMANCE_OPERATIO: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_bitlocker_driver_performance_operatio",
name: "Microsoft-Windows-BitLocker-Driver-Performance/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-BitLocker-Driver-Performance\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-BitLocker-Driver-Performance/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_BITS_CLIENT_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_bits_client_analytic",
name: "Microsoft-Windows-Bits-Client/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Bits-Client\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Bits-Client/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_BITS_CLIENT_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_bits_client_operational",
name: "Microsoft-Windows-Bits-Client/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Bits-Client\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Bits-Client/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_BITS_COMPACTSERVER_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_bits_compactserver_operational",
name: "Microsoft-Windows-Bits-CompactServer/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Bits-CompactServer\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Bits-CompactServer/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_BITS_COMPACTSERVER_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_bits_compactserver_analytic",
name: "Microsoft-Windows-Bits-CompactServer/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Bits-CompactServer\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Bits-CompactServer/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_BLUETOOTH_BTHLEPREPAIRING_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_bluetooth_bthleprepairing_operational",
name: "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Bluetooth-BthLEPrepairing\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_BLUETOOTH_BTHMINI_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_bluetooth_bthmini_operational",
name: "Microsoft-Windows-Bluetooth-BthMini/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Bluetooth-BthMini\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Bluetooth-BthMini/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_BLUETOOTH_HIDBTHLE_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_bluetooth_hidbthle_operational",
name: "Microsoft-Windows-Bluetooth-HidBthLE/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Bluetooth-HidBthLE\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Bluetooth-HidBthLE/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_BLUETOOTH_POLICY_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_bluetooth_policy_operational",
name: "Microsoft-Windows-Bluetooth-Policy/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Bluetooth-Policy\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Bluetooth-Policy/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_BRANCHCACHE_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_branchcache_operational",
name: "Microsoft-Windows-BranchCache/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-BranchCache\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-BranchCache/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_BRANCHCACHECLIENTEVENTPROVIDER_DIAGNO: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_branchcacheclienteventprovider_diagno",
name: "Microsoft-Windows-BranchCacheClientEventProvider/DiagnosticChannel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-BranchCacheClientEventProvider\\DiagnosticChannel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-BranchCacheClientEventProvider/DiagnosticChannel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_BRANCHCACHEEVENTPROVIDER_DIAGNOSTICCH: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_branchcacheeventprovider_diagnosticch",
name: "Microsoft-Windows-BranchCacheEventProvider/DiagnosticChannel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-BranchCacheEventProvider\\DiagnosticChannel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-BranchCacheEventProvider/DiagnosticChannel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_BRANCHCACHEMONITORING_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_branchcachemonitoring_analytic",
name: "Microsoft-Windows-BranchCacheMonitoring/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-BranchCacheMonitoring\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-BranchCacheMonitoring/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_BRANCHCACHESMB_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_branchcachesmb_operational",
name: "Microsoft-Windows-BranchCacheSMB/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-BranchCacheSMB\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-BranchCacheSMB/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_BRANCHCACHESMB_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_branchcachesmb_analytic",
name: "Microsoft-Windows-BranchCacheSMB/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-BranchCacheSMB\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-BranchCacheSMB/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_BACKGROUNDTASKINFRASTRUCTURE_DIAGNOST: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_backgroundtaskinfrastructure_diagnost",
name: "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_BACKGROUNDTASKINFRASTRUCTURE_OPERATIO: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_backgroundtaskinfrastructure_operatio",
name: "Microsoft-Windows-BackgroundTaskInfrastructure/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-BackgroundTaskInfrastructure/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_REGSVR32_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_regsvr32_operational",
name: "Microsoft-Windows-Regsvr32/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Regsvr32\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Regsvr32/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CAPI2_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_capi2_operational",
name: "Microsoft-Windows-CAPI2/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-CAPI2\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-CAPI2/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CAPI2_CATALOG_DATABASE_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_capi2_catalog_database_debug",
name: "Microsoft-Windows-CAPI2/Catalog Database Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-CAPI2\\Catalog Database Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-CAPI2/Catalog Database Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CDROM_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_cdrom_operational",
name: "Microsoft-Windows-CDROM/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-CDROM\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-CDROM/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_RUNTIME_CREATEINSTANCE: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_runtime_createinstance",
name: "Microsoft-Windows-Runtime/CreateInstance",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Runtime\\CreateInstance.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Runtime/CreateInstance'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_COM_CREATEINSTANCE: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_com_createinstance",
name: "Microsoft-Windows-COM/CreateInstance",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-COM\\CreateInstance.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-COM/CreateInstance'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_COM_EXTENSIONCATALOG: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_com_extensioncatalog",
name: "Microsoft-Windows-COM/ExtensionCatalog",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-COM\\ExtensionCatalog.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-COM/ExtensionCatalog'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_COM_CALL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_com_call",
name: "Microsoft-Windows-COM/Call",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-COM\\Call.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-COM/Call'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_COM_FREEUNUSEDLIBRARY: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_com_freeunusedlibrary",
name: "Microsoft-Windows-COM/FreeUnusedLibrary",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-COM\\FreeUnusedLibrary.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-COM/FreeUnusedLibrary'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_OLE_CLIPBOARD: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_ole_clipboard",
name: "Microsoft-Windows-OLE/Clipboard",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-OLE\\Clipboard.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-OLE/Clipboard'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_COM_APARTMENTUNINITIALIZE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_com_apartmentuninitialize",
name: "Microsoft-Windows-COM/ApartmentUninitialize",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-COM\\ApartmentUninitialize.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-COM/ApartmentUninitialize'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_COM_APARTMENTINITIALIZE: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_com_apartmentinitialize",
name: "Microsoft-Windows-COM/ApartmentInitialize",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-COM\\ApartmentInitialize.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-COM/ApartmentInitialize'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_COM_RUNDOWNINSTRUMENTATION: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_com_rundowninstrumentation",
name: "Microsoft-Windows-COM/RundownInstrumentation",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-COM\\RundownInstrumentation.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-COM/RundownInstrumentation'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_COM_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_com_analytic",
name: "Microsoft-Windows-COM/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-COM\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-COM/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_COMRUNTIME_TRACING: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_comruntime_tracing",
name: "Microsoft-Windows-COMRuntime/Tracing",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-COMRuntime\\Tracing.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-COMRuntime/Tracing'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_COMRUNTIME_MESSAGEPROCESSING: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_comruntime_messageprocessing",
name: "Microsoft-Windows-COMRuntime/MessageProcessing",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-COMRuntime\\MessageProcessing.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-COMRuntime/MessageProcessing'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_COMRUNTIME_ACTIVATIONS: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_comruntime_activations",
name: "Microsoft-Windows-COMRuntime/Activations",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-COMRuntime\\Activations.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-COMRuntime/Activations'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CALCULATOR_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_calculator_diagnostic",
name: "Microsoft-Windows-Calculator/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Calculator\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Calculator/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CALCULATOR_DEBUG: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_calculator_debug",
name: "Microsoft-Windows-Calculator/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Calculator\\Debug.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Calculator/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_OPERATION_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_operation_log",
name: "Operation log",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Operation log.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Operation log'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CERTIFICATESERVICES_DEPLOYMENT_OPERAT: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_certificateservices_deployment_operat",
name: "Microsoft-Windows-CertificateServices-Deployment/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-CertificateServices-Deployment\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-CertificateServices-Deployment/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CERTIFICATESERVICESCLIENT_CREDENTIALR: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_certificateservicesclient_credentialr",
name: "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-CertificateServicesClient-CredentialRoaming\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CERTIFICATESERVICESCLIENT_LIFECYCLE_S: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_certificateservicesclient_lifecycle_s",
name: "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-CertificateServicesClient-Lifecycle-System\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CERTIFICATESERVICESCLIENT_LIFECYCLE_U: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_certificateservicesclient_lifecycle_u",
name: "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-CertificateServicesClient-Lifecycle-User\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CLEANMGR_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_cleanmgr_diagnostic",
name: "Microsoft-Windows-Cleanmgr/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Cleanmgr\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Cleanmgr/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CLEARTYPETEXTTUNER_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_cleartypetexttuner_diagnostic",
name: "Microsoft-Windows-ClearTypeTextTuner/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-ClearTypeTextTuner\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-ClearTypeTextTuner/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CLOUDFILES_FILTER_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_cloudfiles_filter_operational",
name: "Microsoft-Windows-CloudFiles-Filter/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-CloudFiles-Filter\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-CloudFiles-Filter/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CLOUDRESTORELAUNCHER_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_cloudrestorelauncher_operational",
name: "Microsoft-Windows-CloudRestoreLauncher/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-CloudRestoreLauncher\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-CloudRestoreLauncher/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CLOUDSTORAGEWIZARD_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_cloudstoragewizard_operational",
name: "Microsoft-Windows-CloudStorageWizard/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-CloudStorageWizard\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-CloudStorageWizard/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CLOUDSTORAGEWIZARD_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_cloudstoragewizard_analytic",
name: "Microsoft-Windows-CloudStorageWizard/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-CloudStorageWizard\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-CloudStorageWizard/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CLOUDSTORE_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_cloudstore_operational",
name: "Microsoft-Windows-CloudStore/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-CloudStore\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-CloudStore/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CLOUDSTORE_DEBUG: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_cloudstore_debug",
name: "Microsoft-Windows-CloudStore/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-CloudStore\\Debug.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-CloudStore/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CLOUDSTORE_INITIALIZATION: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_cloudstore_initialization",
name: "Microsoft-Windows-CloudStore/Initialization",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-CloudStore\\Initialization.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-CloudStore/Initialization'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CMISETUP_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_cmisetup_analytic",
name: "Microsoft-Windows-CmiSetup/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-CmiSetup\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-CmiSetup/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CODEINTEGRITY_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_codeintegrity_operational",
name: "Microsoft-Windows-CodeIntegrity/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-CodeIntegrity\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-CodeIntegrity/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CODEINTEGRITY_VERBOSE: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_codeintegrity_verbose",
name: "Microsoft-Windows-CodeIntegrity/Verbose",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-CodeIntegrity\\Verbose.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-CodeIntegrity/Verbose'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_ANALYTICAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_analytical",
name: "Analytical",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Analytical.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Analytical'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_COMPAT_APPRAISER_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_compat_appraiser_analytic",
name: "Microsoft-Windows-Compat-Appraiser/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Compat-Appraiser\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Compat-Appraiser/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_COMPAT_APPRAISER_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_compat_appraiser_operational",
name: "Microsoft-Windows-Compat-Appraiser/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Compat-Appraiser\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Compat-Appraiser/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CONNECTED_SEARCH_DEBUG: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_connected_search_debug",
name: "Microsoft-Windows-Connected-Search/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Connected-Search\\Debug.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Connected-Search/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CONNECTED_SEARCH_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_connected_search_operational",
name: "Microsoft-Windows-Connected-Search/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Connected-Search\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Connected-Search/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CONNECTED_SEARCH_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_connected_search_analytic",
name: "Microsoft-Windows-Connected-Search/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Connected-Search\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Connected-Search/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CONTAINERS_BINDFLT_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_containers_bindflt_operational",
name: "Microsoft-Windows-Containers-BindFlt/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Containers-BindFlt\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Containers-BindFlt/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CONTAINERS_WCIFS_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_containers_wcifs_operational",
name: "Microsoft-Windows-Containers-Wcifs/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Containers-Wcifs\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Containers-Wcifs/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CONTAINERS_WCNFS_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_containers_wcnfs_operational",
name: "Microsoft-Windows-Containers-Wcnfs/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Containers-Wcnfs\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Containers-Wcnfs/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_SMSROUTER_OPERATIONAL_CHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_smsrouter_operational_channel",
name: "SmsRouter Operational Channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\SmsRouter Operational Channel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'SmsRouter Operational Channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_SMSROUTER_DEBUG_CHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_smsrouter_debug_channel",
name: "SmsRouter Debug Channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\SmsRouter Debug Channel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'SmsRouter Debug Channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_COREWINDOW_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_corewindow_analytic",
name: "Microsoft-Windows-CoreWindow/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-CoreWindow\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-CoreWindow/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CORRUPTEDFILERECOVERY_CLIENT_OPERATIO: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_corruptedfilerecovery_client_operatio",
name: "Microsoft-Windows-CorruptedFileRecovery-Client/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-CorruptedFileRecovery-Client\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-CorruptedFileRecovery-Client/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CORRUPTEDFILERECOVERY_SERVER_OPERATIO: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_corruptedfilerecovery_server_operatio",
name: "Microsoft-Windows-CorruptedFileRecovery-Server/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-CorruptedFileRecovery-Server\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-CorruptedFileRecovery-Server/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CRASHDUMP_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_crashdump_analytic",
name: "Microsoft-Windows-Crashdump/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Crashdump\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Crashdump/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CRASHDUMP_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_crashdump_operational",
name: "Microsoft-Windows-Crashdump/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Crashdump\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Crashdump/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CREDPROVHOST_DEBUG: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_credprovhost_debug",
name: "Microsoft-Windows-CredProvHost/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-CredProvHost\\Debug.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-CredProvHost/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CREDUI_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_credui_diagnostic",
name: "Microsoft-Windows-CredUI/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-CredUI\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-CredUI/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CREDENTIALPROVIDERS_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_credentialproviders_debug",
name: "Microsoft-Windows-CredentialProviders/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-CredentialProviders\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-CredentialProviders/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CRYPTO_BCRYPT_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_crypto_bcrypt_analytic",
name: "Microsoft-Windows-Crypto-BCrypt/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Crypto-BCrypt\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Crypto-BCrypt/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CRYPTO_CNG_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_crypto_cng_analytic",
name: "Microsoft-Windows-Crypto-CNG/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Crypto-CNG\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Crypto-CNG/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CRYPTO_DPAPI_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_crypto_dpapi_operational",
name: "Microsoft-Windows-Crypto-DPAPI/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Crypto-DPAPI\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Crypto-DPAPI/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CRYPTO_DPAPI_BACKUPKEYSVC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_crypto_dpapi_backupkeysvc",
name: "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Crypto-DPAPI\\BackUpKeySvc.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CRYPTO_DPAPI_DEBUG: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_crypto_dpapi_debug",
name: "Microsoft-Windows-Crypto-DPAPI/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Crypto-DPAPI\\Debug.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Crypto-DPAPI/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CRYPTO_DSSENH_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_crypto_dssenh_analytic",
name: "Microsoft-Windows-Crypto-DSSEnh/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Crypto-DSSEnh\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Crypto-DSSEnh/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CRYPTO_NCRYPT_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_crypto_ncrypt_operational",
name: "Microsoft-Windows-Crypto-NCrypt/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Crypto-NCrypt\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Crypto-NCrypt/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CRYPTO_NCRYPT_CERTINUSE: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_crypto_ncrypt_certinuse",
name: "Microsoft-Windows-Crypto-NCrypt/CertInUse",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Crypto-NCrypt\\CertInUse.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Crypto-NCrypt/CertInUse'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CRYPTO_NCRYPT_KEYMGMT: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_crypto_ncrypt_keymgmt",
name: "Microsoft-Windows-Crypto-NCrypt/KeyMgmt",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Crypto-NCrypt\\KeyMgmt.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Crypto-NCrypt/KeyMgmt'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CRYPTO_RNG_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_crypto_rng_analytic",
name: "Microsoft-Windows-Crypto-RNG/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Crypto-RNG\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Crypto-RNG/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_CRYPTO_RSAENH_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_crypto_rsaenh_analytic",
name: "Microsoft-Windows-Crypto-RSAEnh/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Crypto-RSAEnh\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Crypto-RSAEnh/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_D3D10LEVEL9_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_d3d10level9_analytic",
name: "Microsoft-Windows-D3D10Level9/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-D3D10Level9\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-D3D10Level9/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_D3D10LEVEL9_PERFTIMING: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_d3d10level9_perftiming",
name: "Microsoft-Windows-D3D10Level9/PerfTiming",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-D3D10Level9\\PerfTiming.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-D3D10Level9/PerfTiming'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIRECT3D9_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_direct3d9_analytic",
name: "Microsoft-Windows-Direct3D9/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Direct3D9\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Direct3D9/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DAL_PROVIDER_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_dal_provider_analytic",
name: "Microsoft-Windows-DAL-Provider/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DAL-Provider\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DAL-Provider/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DAL_PROVIDER_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_dal_provider_operational",
name: "Microsoft-Windows-DAL-Provider/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DAL-Provider\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DAL-Provider/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DCLOCATOR_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_dclocator_debug",
name: "Microsoft-Windows-DCLocator/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DCLocator\\Debug.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DCLocator/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DDISPLAY_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_ddisplay_analytic",
name: "Microsoft-Windows-DDisplay/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DDisplay\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DDisplay/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DHCP_SERVER_EVENTS_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_dhcp_server_events_operational",
name: "Microsoft-Windows-DHCP Server Events/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DHCP Server Events\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DHCP Server Events/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DHCP_SERVER_EVENTS_FILTERNOTIFICATION: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_dhcp_server_events_filternotification",
name: "Microsoft-Windows-DHCP Server Events/FilterNotifications",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DHCP Server Events\\FilterNotifications.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DHCP Server Events/FilterNotifications'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DHCPV6_CLIENT_EVENTS_ADMIN: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_dhcpv6_client_events_admin",
name: "Microsoft-Windows-DHCPv6 Client Events/Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DHCPv6 Client Events\\Admin.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DHCPv6 Client Events/Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DHCP_CLIENT_EVENTS_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_dhcp_client_events_operational",
name: "Microsoft-Windows-DHCP Client Events/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DHCP Client Events\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DHCP Client Events/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DLNA_NAMESPACE_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_dlna_namespace_analytic",
name: "Microsoft-Windows-DLNA-Namespace/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DLNA-Namespace\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DLNA-Namespace/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DNS_CLIENT_EVENTS_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_dns_client_events_operational",
name: "Microsoft-Windows-DNS Client Events/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DNS Client Events\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DNS Client Events/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DSC_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_dsc_operational",
name: "Microsoft-Windows-DSC/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DSC\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DSC/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DSC_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_dsc_analytic",
name: "Microsoft-Windows-DSC/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DSC\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DSC/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DSC_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_dsc_debug",
name: "Microsoft-Windows-DSC/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DSC\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DSC/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DUI_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_dui_diagnostic",
name: "Microsoft-Windows-DUI/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DUI\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DUI/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DUSER_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_duser_diagnostic",
name: "Microsoft-Windows-DUSER/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DUSER\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DUSER/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_DVD_NAVIGATOR: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_dvd_navigator",
name: "DVD Navigator",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\DVD Navigator.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'DVD Navigator'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DXGI_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_dxgi_analytic",
name: "Microsoft-Windows-DXGI/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DXGI\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DXGI/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DXGI_LOGGING: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_dxgi_logging",
name: "Microsoft-Windows-DXGI/Logging",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DXGI\\Logging.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DXGI/Logging'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DXP_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_dxp_analytic",
name: "Microsoft-Windows-DXP/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DXP\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DXP/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DATA_PDF_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_data_pdf_debug",
name: "Microsoft-Windows-Data-Pdf/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Data-Pdf\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Data-Pdf/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DATAINTEGRITYSCAN_ADMIN: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_dataintegrityscan_admin",
name: "Microsoft-Windows-DataIntegrityScan/Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DataIntegrityScan\\Admin.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DataIntegrityScan/Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DATAINTEGRITYSCAN_CRASHRECOVERY: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_dataintegrityscan_crashrecovery",
name: "Microsoft-Windows-DataIntegrityScan/CrashRecovery",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DataIntegrityScan\\CrashRecovery.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DataIntegrityScan/CrashRecovery'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DEDUPLICATION_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_deduplication_operational",
name: "Microsoft-Windows-Deduplication/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Deduplication\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Deduplication/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DEDUPLICATION_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_deduplication_diagnostic",
name: "Microsoft-Windows-Deduplication/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Deduplication\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Deduplication/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DEDUPLICATION_SCRUBBING: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_deduplication_scrubbing",
name: "Microsoft-Windows-Deduplication/Scrubbing",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Deduplication\\Scrubbing.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Deduplication/Scrubbing'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DEDUPLICATION_PERFORMANCE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_deduplication_performance",
name: "Microsoft-Windows-Deduplication/Performance",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Deduplication\\Performance.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Deduplication/Performance'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DEFRAG_CORE_DEBUG: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_defrag_core_debug",
name: "Microsoft-Windows-Defrag-Core/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Defrag-Core\\Debug.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Defrag-Core/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DEPLORCH_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_deplorch_analytic",
name: "Microsoft-Windows-Deplorch/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Deplorch\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Deplorch/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DEPLOYMENT_SERVICES_DIAGNOSTICS_OPERA: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_deployment_services_diagnostics_opera",
name: "Microsoft-Windows-Deployment-Services-Diagnostics/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Deployment-Services-Diagnostics\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Deployment-Services-Diagnostics/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DEPLOYMENT_SERVICES_DIAGNOSTICS_ADMIN: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_deployment_services_diagnostics_admin",
name: "Microsoft-Windows-Deployment-Services-Diagnostics/Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Deployment-Services-Diagnostics\\Admin.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Deployment-Services-Diagnostics/Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DESKTOPACTIVITYMODERATOR_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_desktopactivitymoderator_diagnostic",
name: "Microsoft-Windows-DesktopActivityModerator/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DesktopActivityModerator\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DesktopActivityModerator/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DESKTOPWINDOWMANAGER_DIAG_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_desktopwindowmanager_diag_diagnostic",
name: "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DesktopWindowManager-Diag\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DEVICEASSOCIATIONSERVICE_PERFORMANCE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_deviceassociationservice_performance",
name: "Microsoft-Windows-DeviceAssociationService/Performance",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DeviceAssociationService\\Performance.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DeviceAssociationService/Performance'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DEVICECONFIDENCE_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_deviceconfidence_analytic",
name: "Microsoft-Windows-DeviceConfidence/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DeviceConfidence\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DeviceConfidence/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DEVICEGUARD_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_deviceguard_operational",
name: "Microsoft-Windows-DeviceGuard/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DeviceGuard\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DeviceGuard/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_AUTOPILOT: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_autopilot",
name: "Autopilot",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Autopilot.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Autopilot'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DEVICEMANAGEMENT_ENTERPRISE_DIAGNOSTI: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_devicemanagement_enterprise_diagnosti",
name: "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DEVICESETUPMANAGER_ADMIN: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_devicesetupmanager_admin",
name: "Microsoft-Windows-DeviceSetupManager/Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DeviceSetupManager\\Admin.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DeviceSetupManager/Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DEVICESETUPMANAGER_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_devicesetupmanager_debug",
name: "Microsoft-Windows-DeviceSetupManager/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DeviceSetupManager\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DeviceSetupManager/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DEVICESETUPMANAGER_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_devicesetupmanager_operational",
name: "Microsoft-Windows-DeviceSetupManager/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DeviceSetupManager\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DeviceSetupManager/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DEVICESETUPMANAGER_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_devicesetupmanager_analytic",
name: "Microsoft-Windows-DeviceSetupManager/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DeviceSetupManager\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DeviceSetupManager/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DEVICESYNC_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_devicesync_analytic",
name: "Microsoft-Windows-DeviceSync/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DeviceSync\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DeviceSync/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DEVICESYNC_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_devicesync_operational",
name: "Microsoft-Windows-DeviceSync/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DeviceSync\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DeviceSync/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_DEVICE_UPDATE_AGENT_OPERATIONAL_CHANNEL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_device_update_agent_operational_channel",
name: "Device Update Agent operational channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Device Update Agent operational channel.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Device Update Agent operational channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DEVICEUX_PERFORMANCE: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_deviceux_performance",
name: "Microsoft-Windows-DeviceUx/Performance",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DeviceUx\\Performance.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DeviceUx/Performance'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DEVICEUX_INFORMATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_deviceux_informational",
name: "Microsoft-Windows-DeviceUx/Informational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DeviceUx\\Informational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DeviceUx/Informational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DEVICES_BACKGROUND_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_devices_background_operational",
name: "Microsoft-Windows-Devices-Background/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Devices-Background\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Devices-Background/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DEVICES_LOCATION_PERFORMANCE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_devices_location_performance",
name: "Microsoft.Windows.Devices.Location-Performance",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft.Windows.Devices.Location-Performance.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft.Windows.Devices.Location-Performance'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DEVICES_QUERY_PERFORMANCE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_devices_query_performance",
name: "Microsoft-Windows-Devices-Query/Performance",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Devices-Query\\Performance.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Devices-Query/Performance'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DHCP_CLIENT_EVENTS_ADMIN: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_dhcp_client_events_admin",
name: "Microsoft-Windows-DHCP Client Events/Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DHCP Client Events\\Admin.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DHCP Client Events/Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DHCPNAP_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_dhcpnap_operational",
name: "Microsoft-Windows-DHCPNap/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DHCPNap\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DHCPNap/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DHCPNAP_ADMIN: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_dhcpnap_admin",
name: "Microsoft-Windows-DHCPNap/Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DHCPNap\\Admin.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DHCPNap/Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIAGCPL_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_diagcpl_debug",
name: "Microsoft-Windows-DiagCpl/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DiagCpl\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DiagCpl/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_ADVANCEDTASKMANAGER_ANALYTI: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_diagnosis_advancedtaskmanager_analyti",
name: "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Diagnosis-AdvancedTaskManager\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_DPS_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_diagnosis_dps_analytic",
name: "Microsoft-Windows-Diagnosis-DPS/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Diagnosis-DPS\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Diagnosis-DPS/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_DPS_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_diagnosis_dps_operational",
name: "Microsoft-Windows-Diagnosis-DPS/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Diagnosis-DPS\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Diagnosis-DPS/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_DPS_DEBUG: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_diagnosis_dps_debug",
name: "Microsoft-Windows-Diagnosis-DPS/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Diagnosis-DPS\\Debug.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Diagnosis-DPS/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_MSDE_DEBUG: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_diagnosis_msde_debug",
name: "Microsoft-Windows-Diagnosis-MSDE/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Diagnosis-MSDE\\Debug.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Diagnosis-MSDE/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_MSDT_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_diagnosis_msdt_operational",
name: "Microsoft-Windows-Diagnosis-MSDT/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Diagnosis-MSDT\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Diagnosis-MSDT/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_MSDT_DEBUG: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_diagnosis_msdt_debug",
name: "Microsoft-Windows-Diagnosis-MSDT/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Diagnosis-MSDT\\Debug.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Diagnosis-MSDT/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_PCW_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_diagnosis_pcw_operational",
name: "Microsoft-Windows-Diagnosis-PCW/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Diagnosis-PCW\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Diagnosis-PCW/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_PCW_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_diagnosis_pcw_analytic",
name: "Microsoft-Windows-Diagnosis-PCW/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Diagnosis-PCW\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Diagnosis-PCW/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_PCW_DEBUG: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_diagnosis_pcw_debug",
name: "Microsoft-Windows-Diagnosis-PCW/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Diagnosis-PCW\\Debug.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Diagnosis-PCW/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_PLA_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_diagnosis_pla_operational",
name: "Microsoft-Windows-Diagnosis-PLA/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Diagnosis-PLA\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Diagnosis-PLA/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_PLA_DEBUG: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_diagnosis_pla_debug",
name: "Microsoft-Windows-Diagnosis-PLA/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Diagnosis-PLA\\Debug.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Diagnosis-PLA/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_PERFHOST_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_diagnosis_perfhost_analytic",
name: "Microsoft-Windows-Diagnosis-Perfhost/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Diagnosis-Perfhost\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Diagnosis-Perfhost/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_SCHEDULED_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_diagnosis_scheduled_operational",
name: "Microsoft-Windows-Diagnosis-Scheduled/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Diagnosis-Scheduled\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Diagnosis-Scheduled/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_SCRIPTED_ADMIN: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_diagnosis_scripted_admin",
name: "Microsoft-Windows-Diagnosis-Scripted/Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Diagnosis-Scripted\\Admin.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Diagnosis-Scripted/Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_SCRIPTED_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_diagnosis_scripted_operational",
name: "Microsoft-Windows-Diagnosis-Scripted/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Diagnosis-Scripted\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Diagnosis-Scripted/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_SCRIPTED_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_diagnosis_scripted_debug",
name: "Microsoft-Windows-Diagnosis-Scripted/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Diagnosis-Scripted\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Diagnosis-Scripted/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_SCRIPTED_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_diagnosis_scripted_analytic",
name: "Microsoft-Windows-Diagnosis-Scripted/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Diagnosis-Scripted\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Diagnosis-Scripted/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_SCRIPTEDDIAGNOSTICSPROVIDER: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_diagnosis_scripteddiagnosticsprovider",
name: "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_TASKMANAGER_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_diagnosis_taskmanager_debug",
name: "Microsoft-Windows-Diagnosis-TaskManager/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Diagnosis-TaskManager\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Diagnosis-TaskManager/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_WDC_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_diagnosis_wdc_analytic",
name: "Microsoft-Windows-Diagnosis-WDC/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Diagnosis-WDC\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Diagnosis-WDC/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIAGNOSIS_WDI_DEBUG: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_diagnosis_wdi_debug",
name: "Microsoft-Windows-Diagnosis-WDI/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Diagnosis-WDI\\Debug.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Diagnosis-WDI/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIAGNOSTICS_NETWORKING_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_diagnostics_networking_operational",
name: "Microsoft-Windows-Diagnostics-Networking/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Diagnostics-Networking\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Diagnostics-Networking/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIAGNOSTICS_NETWORKING_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_diagnostics_networking_debug",
name: "Microsoft-Windows-Diagnostics-Networking/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Diagnostics-Networking\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Diagnostics-Networking/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIAGNOSTICS_PERFTRACK_COUNTERS_DIAGNO: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_diagnostics_perftrack_counters_diagno",
name: "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Diagnostics-PerfTrack-Counters\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIAGNOSTICS_PERFTRACK_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_diagnostics_perftrack_diagnostic",
name: "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Diagnostics-PerfTrack\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_DIAGNOSTIC_LOOPBACK: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_diagnostic_loopback",
name: "Diagnostic-Loopback",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Diagnostic-Loopback.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Diagnostic-Loopback'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIRECT3D10_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_direct3d10_analytic",
name: "Microsoft-Windows-Direct3D10/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Direct3D10\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Direct3D10/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIRECT3D10_1_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_direct3d10_1_analytic",
name: "Microsoft-Windows-Direct3D10_1/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Direct3D10_1\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Direct3D10_1/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIRECT3D11_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_direct3d11_analytic",
name: "Microsoft-Windows-Direct3D11/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Direct3D11\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Direct3D11/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIRECT3D11_PERFTIMING: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_direct3d11_perftiming",
name: "Microsoft-Windows-Direct3D11/PerfTiming",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Direct3D11\\PerfTiming.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Direct3D11/PerfTiming'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIRECT3D11_LOGGING: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_direct3d11_logging",
name: "Microsoft-Windows-Direct3D11/Logging",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Direct3D11\\Logging.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Direct3D11/Logging'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIRECT3D12_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_direct3d12_analytic",
name: "Microsoft-Windows-Direct3D12/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Direct3D12\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Direct3D12/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIRECT3D12_LOGGING: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_direct3d12_logging",
name: "Microsoft-Windows-Direct3D12/Logging",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Direct3D12\\Logging.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Direct3D12/Logging'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIRECT3D12_PERFTIMING: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_direct3d12_perftiming",
name: "Microsoft-Windows-Direct3D12/PerfTiming",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Direct3D12\\PerfTiming.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Direct3D12/PerfTiming'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIRECT3DSHADERCACHE_DEFAULT: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_direct3dshadercache_default",
name: "Microsoft-Windows-Direct3DShaderCache/Default",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Direct3DShaderCache\\Default.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Direct3DShaderCache/Default'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DAMM_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_damm_diagnostic",
name: "Microsoft-Windows-DAMM/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DAMM\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DAMM/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIRECTCOMPOSITION_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_directcomposition_diagnostic",
name: "Microsoft-Windows-DirectComposition/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DirectComposition\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DirectComposition/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIRECTMANIPULATION_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_directmanipulation_diagnostic",
name: "Microsoft-Windows-DirectManipulation/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DirectManipulation\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DirectManipulation/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_DIRECTSHOWPLUGINCONTROL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_directshowplugincontrol",
name: "DirectShowPluginControl",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\DirectShowPluginControl.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'DirectShowPluginControl'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_DIRECTSHOW_FILTERGRAPH: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_directshow_filtergraph",
name: "DirectShow FilterGraph",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\DirectShow FilterGraph.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'DirectShow FilterGraph'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIRECTSHOW_KERNELSUPPORT_PERFORMANCE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_directshow_kernelsupport_performance",
name: "Microsoft-Windows-DirectShow-KernelSupport/Performance",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DirectShow-KernelSupport\\Performance.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DirectShow-KernelSupport/Performance'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIRECTSOUND_DEBUG: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_directsound_debug",
name: "Microsoft-Windows-DirectSound/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DirectSound\\Debug.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DirectSound/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIRECTWRITE_FONTCACHE_TRACING: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_directwrite_fontcache_tracing",
name: "Microsoft-Windows-DirectWrite-FontCache/Tracing",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DirectWrite-FontCache\\Tracing.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DirectWrite-FontCache/Tracing'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIRECTWRITE_TRACING: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_directwrite_tracing",
name: "Microsoft-Windows-DirectWrite/Tracing",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DirectWrite\\Tracing.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DirectWrite/Tracing'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DIRECTORYSERVICES_DEPLOYMENT_OPERATIO: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_directoryservices_deployment_operatio",
name: "Microsoft-Windows-DirectoryServices-Deployment/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DirectoryServices-Deployment\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DirectoryServices-Deployment/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DISK_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_disk_operational",
name: "Microsoft-Windows-Disk/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Disk\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Disk/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_STORAGE_DISK_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_storage_disk_analytic",
name: "Microsoft-Windows-Storage-Disk/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Storage-Disk\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Storage-Disk/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_STORAGE_DISK_DIAGNOSE: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_storage_disk_diagnose",
name: "Microsoft-Windows-Storage-Disk/Diagnose",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Storage-Disk\\Diagnose.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Storage-Disk/Diagnose'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DISKDIAGNOSTIC_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_diskdiagnostic_operational",
name: "Microsoft-Windows-DiskDiagnostic/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DiskDiagnostic\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DiskDiagnostic/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DISKDIAGNOSTICDATACOLLECTOR_OPERATION: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_diskdiagnosticdatacollector_operation",
name: "Microsoft-Windows-DiskDiagnosticDataCollector/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DiskDiagnosticDataCollector\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DiskDiagnosticDataCollector/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DISKDIAGNOSTICRESOLVER_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_diskdiagnosticresolver_operational",
name: "Microsoft-Windows-DiskDiagnosticResolver/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DiskDiagnosticResolver\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DiskDiagnosticResolver/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DISM_API_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_dism_api_analytic",
name: "Microsoft-Windows-Dism-Api/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Dism-Api\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Dism-Api/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DISM_API_INTERNALANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_dism_api_internalanalytic",
name: "Microsoft-Windows-Dism-Api/InternalAnalytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Dism-Api\\InternalAnalytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Dism-Api/InternalAnalytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DISM_CLI_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_dism_cli_analytic",
name: "Microsoft-Windows-Dism-Cli/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Dism-Cli\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Dism-Cli/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DISPLAYCOLORCALIBRATION_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_displaycolorcalibration_operational",
name: "Microsoft-Windows-DisplayColorCalibration/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DisplayColorCalibration\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DisplayColorCalibration/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DISPLAYCOLORCALIBRATION_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_displaycolorcalibration_debug",
name: "Microsoft-Windows-DisplayColorCalibration/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DisplayColorCalibration\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DisplayColorCalibration/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DISPLAYSWITCH_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_displayswitch_diagnostic",
name: "Microsoft-Windows-DisplaySwitch/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DisplaySwitch\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DisplaySwitch/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DOT3MM_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_dot3mm_diagnostic",
name: "Microsoft-Windows-Dot3MM/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Dot3MM\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Dot3MM/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DRIVERFRAMEWORKS_USERMODE_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_driverframeworks_usermode_operational",
name: "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DriverFrameworks-UserMode\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_POWER_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_power_diagnostic",
name: "Microsoft-Windows-Kernel-Power/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-Power\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-Power/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_DIRVER_PROXY_PERFORMANCE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_dirver_proxy_performance",
name: "Dirver Proxy Performance",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Dirver Proxy Performance.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Dirver Proxy Performance'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_DRIVER_PROXY_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_driver_proxy_operational",
name: "Driver Proxy Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Driver Proxy Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Driver Proxy Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_DUC_UPDATE_AGENT_OPERATIONAL_CHANNEL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_duc_update_agent_operational_channel",
name: "Duc Update Agent operational channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Duc Update Agent operational channel.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Duc Update Agent operational channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DWM_API_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_dwm_api_diagnostic",
name: "Microsoft-Windows-Dwm-API/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Dwm-API\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Dwm-API/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DWM_COMPOSITOR_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_dwm_compositor_diagnostic",
name: "Microsoft-Windows-Dwm-Compositor/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Dwm-Compositor\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Dwm-Compositor/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DWM_CORE_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_dwm_core_diagnostic",
name: "Microsoft-Windows-Dwm-Core/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Dwm-Core\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Dwm-Core/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DWM_DWM_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_dwm_dwm_diagnostic",
name: "Microsoft-Windows-Dwm-Dwm/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Dwm-Dwm\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Dwm-Dwm/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DWM_REDIR_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_dwm_redir_diagnostic",
name: "Microsoft-Windows-Dwm-Redir/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Dwm-Redir\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Dwm-Redir/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DWM_UDWM_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_dwm_udwm_diagnostic",
name: "Microsoft-Windows-Dwm-Udwm/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Dwm-Udwm\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Dwm-Udwm/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DXGKRNL_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_dxgkrnl_diagnostic",
name: "Microsoft-Windows-DxgKrnl/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DxgKrnl\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DxgKrnl/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DXGKRNL_PERFORMANCE: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_dxgkrnl_performance",
name: "Microsoft-Windows-DxgKrnl/Performance",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DxgKrnl\\Performance.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DxgKrnl/Performance'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DXGKRNL_POWER: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_dxgkrnl_power",
name: "Microsoft-Windows-DxgKrnl/Power",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DxgKrnl\\Power.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DxgKrnl/Power'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DXGKRNL_ADMIN: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_dxgkrnl_admin",
name: "Microsoft-Windows-DxgKrnl-Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DxgKrnl-Admin.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DxgKrnl-Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DXGKRNL_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_dxgkrnl_operational",
name: "Microsoft-Windows-DxgKrnl-Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DxgKrnl-Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DxgKrnl-Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DXGKRNL_CONTENTION: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_dxgkrnl_contention",
name: "Microsoft-Windows-DxgKrnl/Contention",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DxgKrnl\\Contention.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DxgKrnl/Contention'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DXPTASKRINGTONE_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_dxptaskringtone_analytic",
name: "Microsoft-Windows-DxpTaskRingtone/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DxpTaskRingtone\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DxpTaskRingtone/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_DXPTASKSYNCPROVIDER_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_dxptasksyncprovider_analytic",
name: "Microsoft-Windows-DxpTaskSyncProvider/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-DxpTaskSyncProvider\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-DxpTaskSyncProvider/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_INFORMATION_PROTECTION_APPLICATION_LE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_information_protection_application_le",
name: "Microsoft Windows Information Protection Application Learning Log Channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft Windows Information Protection Application Learning Log Channel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft Windows Information Protection Application Learning Log Channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_INFORMATION_PROTECTION_AUDIT_REGULAR: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_information_protection_audit_regular",
name: "Microsoft Windows Information Protection Audit Regular Channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft Windows Information Protection Audit Regular Channel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft Windows Information Protection Audit Regular Channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_EDP_AUDIT_REGULAR_CHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_edp_audit_regular_channel",
name: "Microsoft Windows EDP Audit Regular Channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft Windows EDP Audit Regular Channel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft Windows EDP Audit Regular Channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_INFORMATION_PROTECTION_AUDIT_TCB_CHAN: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_information_protection_audit_tcb_chan",
name: "Microsoft Windows Information Protection Audit TCB Channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft Windows Information Protection Audit TCB Channel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft Windows Information Protection Audit TCB Channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_EDP_AUDIT_TCB_CHANNEL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_edp_audit_tcb_channel",
name: "Microsoft Windows EDP Audit TCB Channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft Windows EDP Audit TCB Channel.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft Windows EDP Audit TCB Channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_EFS_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_efs_debug",
name: "Microsoft-Windows-EFS/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-EFS\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-EFS/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_EFS_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_efs_operational",
name: "Microsoft-Windows-EFS/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-EFS\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-EFS/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_ELS_HYPHENATION_ANALYTIC_CHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_els_hyphenation_analytic_channel",
name: "Microsoft Windows ELS Hyphenation Analytic Channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft Windows ELS Hyphenation Analytic Channel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft Windows ELS Hyphenation Analytic Channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_POLICY_BASED_QOS_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_policy_based_qos_operational",
name: "Microsoft-Windows-Policy-based QoS/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Policy-based QoS\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Policy-based QoS/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_POLICY_BASED_QOS_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_policy_based_qos_analytic",
name: "Microsoft-Windows-Policy-based QoS/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Policy-based QoS\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Policy-based QoS/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_ESE_IODIAGNOSE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_ese_iodiagnose",
name: "Microsoft-Windows-ESE/IODiagnose",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-ESE\\IODiagnose.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-ESE/IODiagnose'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_ESE_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_ese_operational",
name: "Microsoft-Windows-ESE/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-ESE\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-ESE/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_EAPHOST_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_eaphost_operational",
name: "Microsoft-Windows-EapHost/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-EapHost\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-EapHost/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_EAPHOST_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_eaphost_analytic",
name: "Microsoft-Windows-EapHost/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-EapHost\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-EapHost/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_EAPHOST_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_eaphost_debug",
name: "Microsoft-Windows-EapHost/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-EapHost\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-EapHost/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_OPERATIONAL_CHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_operational_channel",
name: "Operational Channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Operational Channel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Operational Channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_EASEOFACCESS_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_easeofaccess_diagnostic",
name: "Microsoft-Windows-EaseOfAccess/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-EaseOfAccess\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-EaseOfAccess/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_EMBEDDEDAPPLAUNCHER_ADMIN: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_embeddedapplauncher_admin",
name: "Microsoft-Windows-EmbeddedAppLauncher/Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-EmbeddedAppLauncher\\Admin.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-EmbeddedAppLauncher/Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_ENERGY_ESTIMATION_ENGINE_EVENTLOG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_energy_estimation_engine_eventlog",
name: "Microsoft-Windows-Energy-Estimation-Engine/EventLog",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Energy-Estimation-Engine\\EventLog.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Energy-Estimation-Engine/EventLog'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_ENERGY_ESTIMATION_ENGINE_TRACE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_energy_estimation_engine_trace",
name: "Microsoft-Windows-Energy-Estimation-Engine/Trace",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Energy-Estimation-Engine\\Trace.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Energy-Estimation-Engine/Trace'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_POWEREFFICIENCYDIAGNOSTICS_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_powerefficiencydiagnostics_diagnostic",
name: "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PowerEfficiencyDiagnostics\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_ENHANCEDSTORAGE_EHSTORCLASS_OPERATION: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_enhancedstorage_ehstorclass_operation",
name: "Microsoft-Windows-EnhancedStorage-EhStorClass/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-EnhancedStorage-EhStorClass\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-EnhancedStorage-EhStorClass/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_ENHANCEDSTORAGE_EHSTORTCGDRV_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_enhancedstorage_ehstortcgdrv_analytic",
name: "Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-EnhancedStorage-EhStorTcgDrv\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_ENROLLMENTPOLICYWEBSERVICE_ADMIN: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_enrollmentpolicywebservice_admin",
name: "Microsoft-Windows-EnrollmentPolicyWebService/Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-EnrollmentPolicyWebService\\Admin.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-EnrollmentPolicyWebService/Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_ENROLLMENTWEBSERVICE_ADMIN: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_enrollmentwebservice_admin",
name: "Microsoft-Windows-EnrollmentWebService/Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-EnrollmentWebService\\Admin.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-EnrollmentWebService/Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_FMS_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_fms_analytic",
name: "Microsoft-Windows-FMS/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-FMS\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-FMS/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_FAILOVERCLUSTERING_CLIENT_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_failoverclustering_client_diagnostic",
name: "Microsoft-Windows-FailoverClustering-Client/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-FailoverClustering-Client\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-FailoverClustering-Client/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_FAILOVERCLUSTERING_CLIENT_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_failoverclustering_client_operational",
name: "Microsoft-Windows-FailoverClustering-Client/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-FailoverClustering-Client\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-FailoverClustering-Client/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_FAILOVERCLUSTERING_MANAGER_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_failoverclustering_manager_diagnostic",
name: "Microsoft-Windows-FailoverClustering-Manager/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-FailoverClustering-Manager\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-FailoverClustering-Manager/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_FAILOVERCLUSTERING_MANAGER_ADMIN: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_failoverclustering_manager_admin",
name: "Microsoft-Windows-FailoverClustering-Manager/Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-FailoverClustering-Manager\\Admin.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-FailoverClustering-Manager/Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_FAULT_TOLERANT_HEAP_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_fault_tolerant_heap_operational",
name: "Microsoft-Windows-Fault-Tolerant-Heap/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Fault-Tolerant-Heap\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Fault-Tolerant-Heap/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_FEDERATIONSERVICES_DEPLOYMENT_OPERATI: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_federationservices_deployment_operati",
name: "Microsoft-Windows-FederationServices-Deployment/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-FederationServices-Deployment\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-FederationServices-Deployment/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_FEEDBACK_SERVICE_TRIGGERPROVIDER: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_feedback_service_triggerprovider",
name: "Microsoft-Windows-Feedback-Service-TriggerProvider",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Feedback-Service-TriggerProvider.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Feedback-Service-TriggerProvider'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_FILEHISTORY_CATALOG_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_filehistory_catalog_debug",
name: "Microsoft-Windows-FileHistory-Catalog/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-FileHistory-Catalog\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-FileHistory-Catalog/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_FILEHISTORY_CONFIGMANAGER_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_filehistory_configmanager_debug",
name: "Microsoft-Windows-FileHistory-ConfigManager/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-FileHistory-ConfigManager\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-FileHistory-ConfigManager/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_FILEHISTORY_CORE_WHC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_filehistory_core_whc",
name: "Microsoft-Windows-FileHistory-Core/WHC",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-FileHistory-Core\\WHC.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-FileHistory-Core/WHC'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_FILEHISTORY_ENGINE_BACKUPLOG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_filehistory_engine_backuplog",
name: "Microsoft-Windows-FileHistory-Engine/BackupLog",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-FileHistory-Engine\\BackupLog.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-FileHistory-Engine/BackupLog'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_FILEHISTORY_ENGINE_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_filehistory_engine_debug",
name: "Microsoft-Windows-FileHistory-Engine/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-FileHistory-Engine\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-FileHistory-Engine/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_FILE_HISTORY_BACKUP_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_file_history_backup_log",
name: "File History backup log",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\File History backup log.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'File History backup log'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_FILEHISTORY_SERVICE_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_filehistory_service_debug",
name: "Microsoft-Windows-FileHistory-Service/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-FileHistory-Service\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-FileHistory-Service/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_FILEHISTORY_UI_EVENTS_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_filehistory_ui_events_debug",
name: "Microsoft-Windows-FileHistory-UI-Events/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-FileHistory-UI-Events\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-FileHistory-UI-Events/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_FILEHISTORY_UI_EVENTS_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_filehistory_ui_events_analytic",
name: "Microsoft-Windows-FileHistory-UI-Events/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-FileHistory-UI-Events\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-FileHistory-UI-Events/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_FILEINFOMINIFILTER_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_fileinfominifilter_operational",
name: "Microsoft-Windows-FileInfoMinifilter/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-FileInfoMinifilter\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-FileInfoMinifilter/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_FILEMANAGERAPP_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_filemanagerapp_operational",
name: "Microsoft-Windows-FileManagerApp/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-FileManagerApp\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-FileManagerApp/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_FILEMANAGERDATAMODEL_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_filemanagerdatamodel_operational",
name: "Microsoft-Windows-FileManagerDataModel/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-FileManagerDataModel\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-FileManagerDataModel/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_FIREWALL_CPL_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_firewall_cpl_diagnostic",
name: "Microsoft-Windows-Firewall-CPL/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Firewall-CPL\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Firewall-CPL/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_SETUP_SPLASH_WINDOW_PERFORMANCE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_setup_splash_window_performance",
name: "Setup splash window performance",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Setup splash window performance.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Setup splash window performance'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_FOLDER_REDIRECTION_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_folder_redirection_operational",
name: "Microsoft-Windows-Folder Redirection/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Folder Redirection\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Folder Redirection/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_FUNCTIONDISCOVERYHOST_TRACING: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_functiondiscoveryhost_tracing",
name: "Microsoft-Windows-FunctionDiscoveryHost/Tracing",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-FunctionDiscoveryHost\\Tracing.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-FunctionDiscoveryHost/Tracing'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_GENERICROAMING_ADMIN: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_genericroaming_admin",
name: "Microsoft-Windows-GenericRoaming/Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-GenericRoaming\\Admin.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-GenericRoaming/Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_GETTINGSTARTED_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_gettingstarted_diagnostic",
name: "Microsoft-Windows-GettingStarted/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-GettingStarted\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-GettingStarted/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_FONTGROUPS_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_fontgroups_diagnostic",
name: "Microsoft-Windows-FontGroups/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-FontGroups\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-FontGroups/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_GLOBALIZATION_API_ANALYTIC_CHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_globalization_api_analytic_channel",
name: "Microsoft Windows.Globalization API Analytic Channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft Windows.Globalization API Analytic Channel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft Windows.Globalization API Analytic Channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_GROUPPOLICY_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_grouppolicy_operational",
name: "Microsoft-Windows-GroupPolicy/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-GroupPolicy\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-GroupPolicy/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_HAL_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_hal_debug",
name: "Microsoft-Windows-HAL/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-HAL\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-HAL/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_HEALTHCENTER_DEBUG: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_healthcenter_debug",
name: "Microsoft-Windows-HealthCenter/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-HealthCenter\\Debug.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-HealthCenter/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_HEALTHCENTER_PERFORMANCE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_healthcenter_performance",
name: "Microsoft-Windows-HealthCenter/Performance",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-HealthCenter\\Performance.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-HealthCenter/Performance'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_HEALTHCENTERCPL_PERFORMANCE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_healthcentercpl_performance",
name: "Microsoft-Windows-HealthCenterCPL/Performance",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-HealthCenterCPL\\Performance.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-HealthCenterCPL/Performance'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_HELLOFORBUSINESS_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_helloforbusiness_operational",
name: "Microsoft-Windows-HelloForBusiness/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-HelloForBusiness\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-HelloForBusiness/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_HELLOFORBUSINESS_DEBUG: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_helloforbusiness_debug",
name: "Microsoft-Windows-HelloForBusiness/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-HelloForBusiness\\Debug.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-HelloForBusiness/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_HELP_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_help_operational",
name: "Microsoft-Windows-Help/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Help\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Help/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_HOMEGROUP_CONTROL_PANEL_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_homegroup_control_panel_operational",
name: "Microsoft-Windows-HomeGroup Control Panel/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-HomeGroup Control Panel\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-HomeGroup Control Panel/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_HOMEGROUP_CONTROL_PANEL_PERFORMANCE_D: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_homegroup_control_panel_performance_d",
name: "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-HomeGroup Control Panel Performance\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_HOMEGROUP_LISTENERSERVICE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_homegroup_listenerservice",
name: "Microsoft-Windows-HomeGroup-ListenerService",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-HomeGroup-ListenerService.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-HomeGroup-ListenerService'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_HOMEGROUP_LISTENER_SERVICE_OPERATIONA: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_homegroup_listener_service_operationa",
name: "Microsoft-Windows-HomeGroup Listener Service/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-HomeGroup Listener Service\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-HomeGroup Listener Service/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_HOMEGROUP_PROVIDER_SERVICE_OPERATIONA: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_homegroup_provider_service_operationa",
name: "Microsoft-Windows-HomeGroup Provider Service/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-HomeGroup Provider Service\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-HomeGroup Provider Service/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_HOMEGROUP_PROVIDER_SERVICE_PERFORMANC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_homegroup_provider_service_performanc",
name: "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-HomeGroup Provider Service Performance\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_HOTSTART_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_hotstart_diagnostic",
name: "Microsoft-Windows-HotStart/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-HotStart\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-HotStart/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_HOTSPOTAUTH_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_hotspotauth_analytic",
name: "Microsoft-Windows-HotspotAuth/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-HotspotAuth\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-HotspotAuth/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_HOTSPOTAUTH_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_hotspotauth_operational",
name: "Microsoft-Windows-HotspotAuth/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-HotspotAuth\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-HotspotAuth/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_HTTP_LOG_CHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_http_log_channel",
name: "HTTP Log Channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\HTTP Log Channel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'HTTP Log Channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_HTTP_SERVICE_CHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_http_service_channel",
name: "HTTP Service Channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\HTTP Service Channel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'HTTP Service Channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_HYPER_V_COMPUTE_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_hyper_v_compute_analytic",
name: "Microsoft-Windows-Hyper-V-Compute-Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Hyper-V-Compute-Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Hyper-V-Compute-Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_HYPER_V_COMPUTE_ADMIN: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_hyper_v_compute_admin",
name: "Microsoft-Windows-Hyper-V-Compute-Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Hyper-V-Compute-Admin.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Hyper-V-Compute-Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_HYPER_V_GUEST_DRIVERS_ADMIN: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_hyper_v_guest_drivers_admin",
name: "Microsoft-Hyper-V-Guest-Drivers-Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Hyper-V-Guest-Drivers-Admin.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Hyper-V-Guest-Drivers-Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_HYPER_V_GUEST_DRIVERS_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_hyper_v_guest_drivers_analytic",
name: "Microsoft-Hyper-V-Guest-Drivers-Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Hyper-V-Guest-Drivers-Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Hyper-V-Guest-Drivers-Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_HYPER_V_GUEST_DRIVERS_ADMIN: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_hyper_v_guest_drivers_admin",
name: "Microsoft-Windows-Hyper-V-Guest-Drivers/Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers\\Admin.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Hyper-V-Guest-Drivers/Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_HYPER_V_GUEST_DRIVERS_DIAGNOSE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_hyper_v_guest_drivers_diagnose",
name: "Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers\\Diagnose.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_HYPER_V_GUEST_DRIVERS_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_hyper_v_guest_drivers_debug",
name: "Microsoft-Windows-Hyper-V-Guest-Drivers/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Hyper-V-Guest-Drivers/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_HYPER_V_HYPERVISOR_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_hyper_v_hypervisor_operational",
name: "Microsoft-Windows-Hyper-V-Hypervisor-Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Hyper-V-Hypervisor-Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Hyper-V-Hypervisor-Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_HYPER_V_HYPERVISOR_ADMIN: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_hyper_v_hypervisor_admin",
name: "Microsoft-Windows-Hyper-V-Hypervisor-Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Hyper-V-Hypervisor-Admin.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Hyper-V-Hypervisor-Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_HYPER_V_KMCL_CHILD_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_hyper_v_kmcl_child_analytic",
name: "Microsoft-Windows-Hyper-V-KMCL-Child/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Hyper-V-KMCL-Child\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Hyper-V-KMCL-Child/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_HYPER_V_NETVSC_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_hyper_v_netvsc_diagnostic",
name: "Microsoft-Windows-Hyper-V-NETVSC/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Hyper-V-NETVSC\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Hyper-V-NETVSC/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_HYPER_V_VID_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_hyper_v_vid_analytic",
name: "Microsoft-Windows-Hyper-V-VID-Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Hyper-V-VID-Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Hyper-V-VID-Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_HYPER_V_VID_ADMIN: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_hyper_v_vid_admin",
name: "Microsoft-Windows-Hyper-V-VID-Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Hyper-V-VID-Admin.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Hyper-V-VID-Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_IE_SMARTSCREEN: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_ie_smartscreen",
name: "Microsoft-Windows-IE-SmartScreen",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-IE-SmartScreen.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-IE-SmartScreen'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_IIS_CONFIGURATION_DEBUG: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_iis_configuration_debug",
name: "Microsoft-Windows-IIS-Configuration/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-IIS-Configuration\\Debug.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-IIS-Configuration/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_IIS_CONFIGURATION_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_iis_configuration_analytic",
name: "Microsoft-Windows-IIS-Configuration/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-IIS-Configuration\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-IIS-Configuration/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_IIS_CONFIGURATION_ADMINISTRATIVE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_iis_configuration_administrative",
name: "Microsoft-Windows-IIS-Configuration/Administrative",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-IIS-Configuration\\Administrative.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-IIS-Configuration/Administrative'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_IIS_CONFIGURATION_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_iis_configuration_operational",
name: "Microsoft-Windows-IIS-Configuration/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-IIS-Configuration\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-IIS-Configuration/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_IIS_DIAGNOSTICS_CHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_iis_diagnostics_channel",
name: "IIS Diagnostics Channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\IIS Diagnostics Channel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'IIS Diagnostics Channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_IME_BROKER_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_ime_broker_analytic",
name: "Microsoft-Windows-IME-Broker/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-IME-Broker\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-IME-Broker/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_IME_CANDIDATEUI_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_ime_candidateui_analytic",
name: "Microsoft-Windows-IME-CandidateUI/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-IME-CandidateUI\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-IME-CandidateUI/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_IME_CUSTOMERFEEDBACKMANAGER_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_ime_customerfeedbackmanager_debug",
name: "Microsoft-Windows-IME-CustomerFeedbackManager/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-IME-CustomerFeedbackManager\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-IME-CustomerFeedbackManager/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_IME_CUSTOMERFEEDBACKMANAGERUI_ANALYTI: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_ime_customerfeedbackmanagerui_analyti",
name: "Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-IME-CustomerFeedbackManagerUI\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_IME_JPAPI_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_ime_jpapi_analytic",
name: "Microsoft-Windows-IME-JPAPI/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-IME-JPAPI\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-IME-JPAPI/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_IME_JPLMP_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_ime_jplmp_analytic",
name: "Microsoft-Windows-IME-JPLMP/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-IME-JPLMP\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-IME-JPLMP/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_IME_JPPRED_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_ime_jppred_analytic",
name: "Microsoft-Windows-IME-JPPRED/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-IME-JPPRED\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-IME-JPPRED/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_IME_JPSETTING_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_ime_jpsetting_analytic",
name: "Microsoft-Windows-IME-JPSetting/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-IME-JPSetting\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-IME-JPSetting/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_IME_JPTIP_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_ime_jptip_analytic",
name: "Microsoft-Windows-IME-JPTIP/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-IME-JPTIP\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-IME-JPTIP/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_IME_KRAPI_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_ime_krapi_analytic",
name: "Microsoft-Windows-IME-KRAPI/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-IME-KRAPI\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-IME-KRAPI/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_IME_KRTIP_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_ime_krtip_analytic",
name: "Microsoft-Windows-IME-KRTIP/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-IME-KRTIP\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-IME-KRTIP/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_IME_OEDCOMPILER_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_ime_oedcompiler_analytic",
name: "Microsoft-Windows-IME-OEDCompiler/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-IME-OEDCompiler\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-IME-OEDCompiler/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_IME_ROAMING_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_ime_roaming_analytic",
name: "Microsoft-Windows-IME-Roaming/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-IME-Roaming\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-IME-Roaming/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_IME_SCCORE_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_ime_sccore_analytic",
name: "Microsoft-Windows-IME-SCCORE/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-IME-SCCORE\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-IME-SCCORE/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_IME_SCDICCOMPILER_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_ime_scdiccompiler_analytic",
name: "Microsoft-Windows-IME-SCDICCOMPILER/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-IME-SCDICCOMPILER\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-IME-SCDICCOMPILER/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_IME_SCTIP_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_ime_sctip_analytic",
name: "Microsoft-Windows-IME-SCTIP/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-IME-SCTIP\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-IME-SCTIP/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_IME_TCCORE_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_ime_tccore_analytic",
name: "Microsoft-Windows-IME-TCCORE/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-IME-TCCORE\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-IME-TCCORE/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_IME_TCTIP_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_ime_tctip_analytic",
name: "Microsoft-Windows-IME-TCTIP/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-IME-TCTIP\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-IME-TCTIP/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_IME_TIP_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_ime_tip_analytic",
name: "Microsoft-Windows-IME-TIP/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-IME-TIP\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-IME-TIP/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_IPBUSENUM_TRACING: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_ipbusenum_tracing",
name: "Microsoft-Windows-IPBusEnum/Tracing",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-IPBusEnum\\Tracing.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-IPBusEnum/Tracing'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_IPNAT_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_ipnat_diagnostic",
name: "Microsoft-Windows-IPNAT/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-IPNAT\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-IPNAT/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_IPSEC_SRV_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_ipsec_srv_diagnostic",
name: "Microsoft-Windows-IPSEC-SRV/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-IPSEC-SRV\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-IPSEC-SRV/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_DEBUG_CHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_debug_channel",
name: "Debug Channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Debug Channel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Debug Channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_IDCTRLS_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_idctrls_operational",
name: "Microsoft-Windows-IdCtrls/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-IdCtrls\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-IdCtrls/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_IDCTRLS_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_idctrls_analytic",
name: "Microsoft-Windows-IdCtrls/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-IdCtrls\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-IdCtrls/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_TWINAPI_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_twinapi_diagnostic",
name: "Microsoft-Windows-TWinAPI/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-TWinAPI\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-TWinAPI/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_COREAPPLICATION_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_coreapplication_operational",
name: "Microsoft-Windows-CoreApplication/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-CoreApplication\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-CoreApplication/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_COREAPPLICATION_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_coreapplication_diagnostic",
name: "Microsoft-Windows-CoreApplication/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-CoreApplication\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-CoreApplication/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_COREAPPLICATION_TRACING: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_coreapplication_tracing",
name: "Microsoft-Windows-CoreApplication/Tracing",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-CoreApplication\\Tracing.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-CoreApplication/Tracing'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_TWINUI_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_twinui_diagnostic",
name: "Microsoft-Windows-TWinUI/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-TWinUI\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-TWinUI/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_TWINUI_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_twinui_operational",
name: "Microsoft-Windows-TWinUI/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-TWinUI\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-TWinUI/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_INDIRECTDISPLAYS_CLASSEXTENSION_EVENT: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_indirectdisplays_classextension_event",
name: "Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-IndirectDisplays-ClassExtension-Events\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_THIS_IS_THE_ANALYTIC_CHANNEL_TO_WHICH_INTERNAL_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_this_is_the_analytic_channel_to_which_internal_analytic",
name: "This is the Analytic channel to which internal Analytic events from the HIDCLASS driver are sent.",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\This is the Analytic channel to which internal Analytic events from the HIDCLASS driver are sent..evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'This is the Analytic channel to which internal Analytic events from the HIDCLASS driver are sent.'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_INPUTSWITCH_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_inputswitch_diagnostic",
name: "Microsoft-Windows-InputSwitch/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-InputSwitch\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-InputSwitch/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_THIS_IS_THE_ANALYTIC_CHANNEL_FOR_WINDOWS_INSTALL_UX_PER: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_this_is_the_analytic_channel_for_windows_install_ux_per",
name: "This is the analytic channel for Windows Install UX Performance.",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\This is the analytic channel for Windows Install UX Performance..evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'This is the analytic channel for Windows Install UX Performance.'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_INTERNATIONAL_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_international_operational",
name: "Microsoft-Windows-International/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-International\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-International/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_IPHLPSVC_ETW_CHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_iphlpsvc_etw_channel",
name: "Iphlpsvc Etw Channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Iphlpsvc Etw Channel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Iphlpsvc Etw Channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_IPHLPSVC_ETW_DEBUG_CHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_iphlpsvc_etw_debug_channel",
name: "Iphlpsvc Etw Debug Channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Iphlpsvc Etw Debug Channel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Iphlpsvc Etw Debug Channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KDSSVC_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_kdssvc_operational",
name: "Microsoft-Windows-KdsSvc/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-KdsSvc\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-KdsSvc/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_ACPI_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_acpi_diagnostic",
name: "Microsoft-Windows-Kernel-Acpi/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-Acpi\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-Acpi/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_APPCOMPAT_GENERAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_appcompat_general",
name: "Microsoft-Windows-Kernel-AppCompat/General",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-AppCompat\\General.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-AppCompat/General'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_APPCOMPAT_PERFORMANCE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_appcompat_performance",
name: "Microsoft-Windows-Kernel-AppCompat/Performance",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-AppCompat\\Performance.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-AppCompat/Performance'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_BOOT_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_boot_analytic",
name: "Microsoft-Windows-Kernel-Boot/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-Boot\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-Boot/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_BOOT_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_boot_operational",
name: "Microsoft-Windows-Kernel-Boot/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-Boot\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-Boot/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_BOOTDIAGNOSTICS_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_bootdiagnostics_diagnostic",
name: "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-BootDiagnostics\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_CPU_PARTITION_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_cpu_partition_analytic",
name: "Microsoft-Windows-Kernel-CPU-Partition/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-CPU-Partition\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-CPU-Partition/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_CPU_STARVATION_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_cpu_starvation_operational",
name: "Microsoft-Windows-Kernel-CPU-Starvation/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-CPU-Starvation\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-CPU-Starvation/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_DISK_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_disk_analytic",
name: "Microsoft-Windows-Kernel-Disk/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-Disk\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-Disk/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_DUMP_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_dump_operational",
name: "Microsoft-Windows-Kernel-Dump/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-Dump\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-Dump/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_EVENTTRACING_ADMIN: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_eventtracing_admin",
name: "Microsoft-Windows-Kernel-EventTracing/Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-EventTracing\\Admin.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-EventTracing/Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_EVENTTRACING_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_eventtracing_analytic",
name: "Microsoft-Windows-Kernel-EventTracing/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-EventTracing\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-EventTracing/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_FILE_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_file_analytic",
name: "Microsoft-Windows-Kernel-File/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-File\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-File/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_IO_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_io_operational",
name: "Microsoft-Windows-Kernel-IO/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-IO\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-IO/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_IOTRACE_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_iotrace_diagnostic",
name: "Microsoft-Windows-Kernel-IoTrace/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-IoTrace\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-IoTrace/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_LIVEDUMP_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_livedump_analytic",
name: "Microsoft-Windows-Kernel-LiveDump/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-LiveDump\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-LiveDump/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_LIVEDUMP_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_livedump_operational",
name: "Microsoft-Windows-Kernel-LiveDump/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-LiveDump\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-LiveDump/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_MEMORY_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_memory_analytic",
name: "Microsoft-Windows-Kernel-Memory/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-Memory\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-Memory/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_NETWORK_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_network_analytic",
name: "Microsoft-Windows-Kernel-Network/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-Network\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-Network/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_PEP_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_pep_diagnostic",
name: "Microsoft-Windows-Kernel-Pep/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-Pep\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-Pep/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_BOOT_DIAGNOSTIC_CHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_boot_diagnostic_channel",
name: "Boot Diagnostic Channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Boot Diagnostic Channel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Boot Diagnostic Channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_PNP_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_pnp_diagnostic",
name: "Microsoft-Windows-Kernel-PnP/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-PnP\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-PnP/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_DRIVER_DIAGNOSTIC_CHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_driver_diagnostic_channel",
name: "Driver Diagnostic Channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Driver Diagnostic Channel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Driver Diagnostic Channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_DEVICE_ENUMERATION_DIAGNOSTIC_CHANNEL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_device_enumeration_diagnostic_channel",
name: "Device Enumeration Diagnostic Channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Device Enumeration Diagnostic Channel.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Device Enumeration Diagnostic Channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_CONFIGURATION_DIAGNOSTIC_CHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_configuration_diagnostic_channel",
name: "Configuration Diagnostic Channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Configuration Diagnostic Channel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Configuration Diagnostic Channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_DEVICE_CONFIGURATION: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_device_configuration",
name: "Device Configuration",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Device Configuration.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Device Configuration'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_PNP_ANALYTIC_CHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_pnp_analytic_channel",
name: "Pnp Analytic Channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Pnp Analytic Channel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Pnp Analytic Channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_DEVICE_MANAGEMENT: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_device_management",
name: "Device Management",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Device Management.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Device Management'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_DRIVER_WATCHDOG_CHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_driver_watchdog_channel",
name: "Driver Watchdog Channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Driver Watchdog Channel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Driver Watchdog Channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_CONFIGURATION: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_configuration",
name: "Configuration",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Configuration.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Configuration'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_POWER_THERMAL_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_power_thermal_diagnostic",
name: "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-Power\\Thermal-Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-Power/Thermal-Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_THERMAL_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_thermal_operational",
name: "Thermal-Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Thermal-Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Thermal-Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_PREFETCH_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_prefetch_diagnostic",
name: "Microsoft-Windows-Kernel-Prefetch/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-Prefetch\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-Prefetch/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_PRM_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_prm_operational",
name: "Microsoft-Windows-Kernel-Prm/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-Prm\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-Prm/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_PROCESS_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_process_analytic",
name: "Microsoft-Windows-Kernel-Process/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-Process\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-Process/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_PROCESSOR_POWER_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_processor_power_diagnostic",
name: "Microsoft-Windows-Kernel-Processor-Power/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-Processor-Power\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-Processor-Power/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_REGISTRY_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_registry_analytic",
name: "Microsoft-Windows-Kernel-Registry/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-Registry\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-Registry/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_REGISTRY_PERFORMANCE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_registry_performance",
name: "Microsoft-Windows-Kernel-Registry/Performance",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-Registry\\Performance.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-Registry/Performance'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_SHIMENGINE_DEBUG: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_shimengine_debug",
name: "Microsoft-Windows-Kernel-ShimEngine/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-ShimEngine\\Debug.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-ShimEngine/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_SHIMENGINE_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_shimengine_operational",
name: "Microsoft-Windows-Kernel-ShimEngine/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-ShimEngine\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-ShimEngine/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_SHIMENGINE_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_shimengine_diagnostic",
name: "Microsoft-Windows-Kernel-ShimEngine/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-ShimEngine\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-ShimEngine/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_STOREMGR_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_storemgr_analytic",
name: "Microsoft-Windows-Kernel-StoreMgr/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-StoreMgr\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-StoreMgr/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_STOREMGR_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_storemgr_operational",
name: "Microsoft-Windows-Kernel-StoreMgr/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-StoreMgr\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-StoreMgr/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_WDI_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_wdi_analytic",
name: "Microsoft-Windows-Kernel-WDI/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-WDI\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-WDI/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_WDI_DEBUG: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_wdi_debug",
name: "Microsoft-Windows-Kernel-WDI/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-WDI\\Debug.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-WDI/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_WDI_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_wdi_operational",
name: "Microsoft-Windows-Kernel-WDI/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-WDI\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-WDI/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_WHEA_ERRORS: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_whea_errors",
name: "Microsoft-Windows-Kernel-WHEA/Errors",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-WHEA\\Errors.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-WHEA/Errors'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_WHEA: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_whea",
name: "Microsoft-Windows-Kernel-WHEA",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-WHEA.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-WHEA'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_WHEA_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_whea_operational",
name: "Microsoft-Windows-Kernel-WHEA/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-WHEA\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-WHEA/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_XDV_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_xdv_analytic",
name: "Microsoft-Windows-Kernel-XDV/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-XDV\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-XDV/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_WINDOWS_KS_CHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_windows_ks_channel",
name: "WINDOWS_KS_CHANNEL",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\WINDOWS_KS_CHANNEL.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'WINDOWS_KS_CHANNEL'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KEYBOARDFILTER_ADMIN: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_keyboardfilter_admin",
name: "Microsoft-Windows-KeyboardFilter/Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-KeyboardFilter\\Admin.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-KeyboardFilter/Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KEYBOARDFILTER_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_keyboardfilter_operational",
name: "Microsoft-Windows-KeyboardFilter/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-KeyboardFilter\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-KeyboardFilter/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KEYBOARDFILTER_PERFORMANCE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_keyboardfilter_performance",
name: "Microsoft-Windows-KeyboardFilter/Performance",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-KeyboardFilter\\Performance.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-KeyboardFilter/Performance'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KNOWN_FOLDERS_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_known_folders_operational",
name: "Microsoft-Windows-Known Folders/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Known Folders\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Known Folders/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_WLAN_AUTOCONFIG_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_wlan_autoconfig_operational",
name: "Microsoft-Windows-WLAN-AutoConfig/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-WLAN-AutoConfig\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-WLAN-AutoConfig/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_WIRED_AUTOCONFIG_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_wired_autoconfig_operational",
name: "Microsoft-Windows-Wired-AutoConfig/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Wired-AutoConfig\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Wired-AutoConfig/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_L2NACP_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_l2nacp_diagnostic",
name: "Microsoft-Windows-L2NACP/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-L2NACP\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-L2NACP/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_LAPS_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_laps_operational",
name: "Microsoft-Windows-LAPS/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-LAPS\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-LAPS/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_LDAP_CLIENT_DEBUG: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_ldap_client_debug",
name: "Microsoft-Windows-LDAP-Client/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-LDAP-Client\\Debug.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-LDAP-Client/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_LUA_CONSENTUI_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_lua_consentui_diagnostic",
name: "Microsoft-Windows-LUA-ConsentUI/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-LUA-ConsentUI\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-LUA-ConsentUI/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_LANGUAGEPACKSETUP_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_languagepacksetup_operational",
name: "Microsoft-Windows-LanguagePackSetup/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-LanguagePackSetup\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-LanguagePackSetup/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_LANGUAGEPACKSETUP_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_languagepacksetup_analytic",
name: "Microsoft-Windows-LanguagePackSetup/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-LanguagePackSetup\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-LanguagePackSetup/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_LANGUAGEPACKSETUP_DEBUG: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_languagepacksetup_debug",
name: "Microsoft-Windows-LanguagePackSetup/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-LanguagePackSetup\\Debug.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-LanguagePackSetup/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MAJOR_STATE_CONFIGURATION_CHANGE_THAT_CAN_HELP_DEBUG_AD: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_major_state_configuration_change_that_can_help_debug_ad",
name: "major state/configuration change that can help debug admin and operational events. Default enabled state: off. Target audience: PSS/diagnostic tools/component developers",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\major state\\configuration change that can help debug admin and operational events. Default enabled state: off. Target audience: PSS\\diagnostic tools\\component developers.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'major state/configuration change that can help debug admin and operational events. Default enabled state: off. Target audience: PSS/diagnostic tools/component developers'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_LIMITSMANAGEMENT_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_limitsmanagement_diagnostic",
name: "Microsoft-Windows-LimitsManagement/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-LimitsManagement\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-LimitsManagement/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_LINKLAYERDISCOVERYPROTOCOL_OPERATIONA: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_linklayerdiscoveryprotocol_operationa",
name: "Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-LinkLayerDiscoveryProtocol\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_LINKLAYERDISCOVERYPROTOCOL_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_linklayerdiscoveryprotocol_diagnostic",
name: "Microsoft-Windows-LinkLayerDiscoveryProtocol/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-LinkLayerDiscoveryProtocol\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-LinkLayerDiscoveryProtocol/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_LIVEID_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_liveid_analytic",
name: "Microsoft-Windows-LiveId/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-LiveId\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-LiveId/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_LIVEID_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_liveid_operational",
name: "Microsoft-Windows-LiveId/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-LiveId\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-LiveId/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_AUTOMATION: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_automation",
name: "Automation",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Automation.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Automation'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MEDIA_FOUNDATION_FRAMESERVER: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_media_foundation_frameserver",
name: "Media Foundation FrameServer",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Media Foundation FrameServer.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Media Foundation FrameServer'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MEDIA_FOUNDATION_DEVICEPROXY: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_media_foundation_deviceproxy",
name: "Media Foundation DeviceProxy",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Media Foundation DeviceProxy.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Media Foundation DeviceProxy'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MF_MEDIAFOUNDATIONDEVICEPROXY: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_mf_mediafoundationdeviceproxy",
name: "MF_MediaFoundationDeviceProxy",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\MF_MediaFoundationDeviceProxy.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'MF_MediaFoundationDeviceProxy'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MEDIA_FOUNDATION_PIPELINE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_media_foundation_pipeline",
name: "Media Foundation Pipeline",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Media Foundation Pipeline.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Media Foundation Pipeline'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MEDIA_FOUNDATION_CONTENTPROTECTION: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_media_foundation_contentprotection",
name: "Media Foundation ContentProtection",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Media Foundation ContentProtection.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Media Foundation ContentProtection'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MEDIA_FOUNDATION_ASYNCWRAPPER: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_media_foundation_asyncwrapper",
name: "Media Foundation AsyncWrapper",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Media Foundation AsyncWrapper.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Media Foundation AsyncWrapper'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MEDIAFOUNDATIONASYNCWRAPPER: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_mediafoundationasyncwrapper",
name: "MediaFoundationAsyncWrapper",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\MediaFoundationAsyncWrapper.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'MediaFoundationAsyncWrapper'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MFDS: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_mfds",
name: "MFDS",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\MFDS.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'MFDS'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_SRCPREFETCH: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_srcprefetch",
name: "SrcPrefetch",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\SrcPrefetch.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'SrcPrefetch'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MP4: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_mp4",
name: "MP4",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\MP4.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'MP4'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MEDIA_FOUNDATION_DEVICEMFT: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_media_foundation_devicemft",
name: "Media Foundation DeviceMFT",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Media Foundation DeviceMFT.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Media Foundation DeviceMFT'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_WINDOWS_MFH264ENC_CHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_windows_mfh264enc_channel",
name: "WINDOWS_MFH264Enc_CHANNEL",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\WINDOWS_MFH264Enc_CHANNEL.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'WINDOWS_MFH264Enc_CHANNEL'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_WINDOWS_MP4SDECD_CHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_windows_mp4sdecd_channel",
name: "WINDOWS_MP4SDECD_CHANNEL",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\WINDOWS_MP4SDECD_CHANNEL.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'WINDOWS_MP4SDECD_CHANNEL'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MUXENCODE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_muxencode",
name: "muxencode",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\muxencode.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'muxencode'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_MPS_CLNT_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_mps_clnt_diagnostic",
name: "Microsoft-Windows-MPS-CLNT/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-MPS-CLNT\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-MPS-CLNT/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_MPS_DRV_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_mps_drv_diagnostic",
name: "Microsoft-Windows-MPS-DRV/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-MPS-DRV\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-MPS-DRV/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_MPS_SRV_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_mps_srv_diagnostic",
name: "Microsoft-Windows-MPS-SRV/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-MPS-SRV\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-MPS-SRV/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_MSFTEDIT_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_msftedit_diagnostic",
name: "Microsoft-Windows-MSFTEDIT/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-MSFTEDIT\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-MSFTEDIT/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_WINDOWS_MSMPEG2ADEC_CHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_windows_msmpeg2adec_channel",
name: "WINDOWS_MSMPEG2ADEC_CHANNEL",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\WINDOWS_MSMPEG2ADEC_CHANNEL.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'WINDOWS_MSMPEG2ADEC_CHANNEL'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_WINDOWS_MSMPEG2VDEC_CHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_windows_msmpeg2vdec_channel",
name: "WINDOWS_MSMPEG2VDEC_CHANNEL",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\WINDOWS_MSMPEG2VDEC_CHANNEL.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'WINDOWS_MSMPEG2VDEC_CHANNEL'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_MSMQ_END2END: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_msmq_end2end",
name: "Microsoft-Windows-MSMQ/End2End",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-MSMQ\\End2End.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-MSMQ/End2End'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_MSPAINT_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_mspaint_debug",
name: "Microsoft-Windows-MSPaint/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-MSPaint\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-MSPaint/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_MSPAINT_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_mspaint_diagnostic",
name: "Microsoft-Windows-MSPaint/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-MSPaint\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-MSPaint/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_MSSHAV_SHV_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_msshav_shv_diagnostic",
name: "Microsoft-Windows-MSSHAV-SHV/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-MSSHAV-SHV\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-MSSHAV-SHV/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_MSSHAV_SHV_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_msshav_shv_operational",
name: "Microsoft-Windows-MSSHAV-SHV/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-MSSHAV-SHV\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-MSSHAV-SHV/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_MSSHAV_SHVCNFG_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_msshav_shvcnfg_diagnostic",
name: "Microsoft-Windows-MSSHAV-SHVCNFG/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-MSSHAV-SHVCNFG\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-MSSHAV-SHVCNFG/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_MUI_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_mui_operational",
name: "Microsoft-Windows-MUI/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-MUI\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-MUI/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_MUI_ADMIN: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_mui_admin",
name: "Microsoft-Windows-MUI/Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-MUI\\Admin.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-MUI/Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_MUI_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_mui_debug",
name: "Microsoft-Windows-MUI/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-MUI\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-MUI/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_MUI_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_mui_analytic",
name: "Microsoft-Windows-MUI/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-MUI\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-MUI/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MEDIA_CENTER: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_media_center",
name: "Media Center",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Media Center.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Media Center'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_PLAYREADY_PERFORMANCE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_playready_performance",
name: "PlayReady-Performance",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\PlayReady-Performance.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'PlayReady-Performance'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_MEDIA_STREAMING_DMR: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_media_streaming_dmr",
name: "Microsoft-Windows-Media-Streaming/DMR",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Media-Streaming\\DMR.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Media-Streaming/DMR'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_MEDIA_STREAMING_DMC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_media_streaming_dmc",
name: "Microsoft-Windows-Media-Streaming/DMC",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Media-Streaming\\DMC.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Media-Streaming/DMC'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_MEDIA_STREAMING_MDE: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_media_streaming_mde",
name: "Microsoft-Windows-Media-Streaming/MDE",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Media-Streaming\\MDE.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Media-Streaming/MDE'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MEDIA_FOUNDATION_MEDIAENGINE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_media_foundation_mediaengine",
name: "Media Foundation MediaEngine",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Media Foundation MediaEngine.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Media Foundation MediaEngine'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MEDIA_FOUNDATION_CAPTURE_ENGINE_ETW_CHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_media_foundation_capture_engine_etw_channel",
name: "Media Foundation Capture Engine ETW Channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Media Foundation Capture Engine ETW Channel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Media Foundation Capture Engine ETW Channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_MEDIAFOUNDATION_MFREADWRITE_SOURCEREA: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_mediafoundation_mfreadwrite_sourcerea",
name: "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-MediaFoundation-MFReadWrite\\SourceReader.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_MEDIAFOUNDATION_MFREADWRITE_SINKWRITE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_mediafoundation_mfreadwrite_sinkwrite",
name: "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-MediaFoundation-MFReadWrite\\SinkWriter.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_MEDIAFOUNDATION_MFREADWRITE_TRANSFORM: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_mediafoundation_mfreadwrite_transform",
name: "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-MediaFoundation-MFReadWrite\\Transform.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-MediaFoundation-MFReadWrite/Transform'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MS_VIDEO_PROCESSOR_MFT_D3D11: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_ms_video_processor_mft_d3d11",
name: "MS Video Processor MFT (D3D11)",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\MS Video Processor MFT (D3D11).evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'MS Video Processor MFT (D3D11)'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MS_VIDEO_PROCESSOR_MFT: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_ms_video_processor_mft",
name: "MS Video Processor MFT",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\MS Video Processor MFT.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'MS Video Processor MFT'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MS_VIDEO_DSP: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_ms_video_dsp",
name: "MS Video DSP",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\MS Video DSP.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'MS Video DSP'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MEDIA_FOUNDATION_PERFORMANCE_CORE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_media_foundation_performance_core",
name: "Media Foundation Performance Core",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Media Foundation Performance Core.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Media Foundation Performance Core'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MEDIA_FOUNDATION_PERFORMANCE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_media_foundation_performance",
name: "Media Foundation Performance",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Media Foundation Performance.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Media Foundation Performance'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_MEDIAFOUNDATION_PERFORMANCE_SARSTREAM: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_mediafoundation_performance_sarstream",
name: "Microsoft-Windows-MediaFoundation-Performance/SARStreamResource",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-MediaFoundation-Performance\\SARStreamResource.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-MediaFoundation-Performance/SARStreamResource'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MEDIA_FOUNDATION_PLATFORM: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_media_foundation_platform",
name: "Media Foundation Platform",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Media Foundation Platform.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Media Foundation Platform'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MEDIAFOUNDATIONDEVICEPROXY: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_mediafoundationdeviceproxy",
name: "MediaFoundationDeviceProxy",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\MediaFoundationDeviceProxy.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'MediaFoundationDeviceProxy'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_MEDIAFOUNDATION_PLAYAPI_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_mediafoundation_playapi_analytic",
name: "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-MediaFoundation-PlayAPI\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-MediaFoundation-PlayAPI/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_MEMORYDIAGNOSTICS_RESULTS_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_memorydiagnostics_results_debug",
name: "Microsoft-Windows-MemoryDiagnostics-Results/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-MemoryDiagnostics-Results\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-MemoryDiagnostics-Results/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_MIGRATION_ENGINE_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_migration_engine_analytic",
name: "Microsoft-Windows-Migration-Engine/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Migration-Engine\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Migration-Engine/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MINSTORE_ANALYTIC_CHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_minstore_analytic_channel",
name: "Minstore Analytic Channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Minstore Analytic Channel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Minstore Analytic Channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MINSTORE_DEBUG_CHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_minstore_debug_channel",
name: "Minstore Debug Channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Minstore Debug Channel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Minstore Debug Channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_MOBILE_BROADBAND_EXPERIENCE_API_INTER: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_mobile_broadband_experience_api_inter",
name: "Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_MOBILE_BROADBAND_EXPERIENCE_API_ANALY: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_mobile_broadband_experience_api_analy",
name: "Microsoft-Windows-Mobile-Broadband-Experience-Api/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Mobile-Broadband-Experience-Api\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Mobile-Broadband-Experience-Api/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_MOBILE_BROADBAND_EXPERIENCE_PARSER_TA: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_mobile_broadband_experience_parser_ta",
name: "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_MOBILE_BROADBAND_EXPERIENCE_SMSAPI_AN: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_mobile_broadband_experience_smsapi_an",
name: "Microsoft-Windows-Mobile-Broadband-Experience-SmsApi/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Mobile-Broadband-Experience-SmsApi\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Mobile-Broadband-Experience-SmsApi/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_SMSAPI: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_smsapi",
name: "SMSApi",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\SMSApi.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'SMSApi'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_MOBILE_BROADBAND_EXPERIENCE_SMSROUTER: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_mobile_broadband_experience_smsrouter",
name: "Microsoft-Windows-Mobile-Broadband-Experience-SmsRouter/Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Mobile-Broadband-Experience-SmsRouter\\Admin.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Mobile-Broadband-Experience-SmsRouter/Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_MOBILITYCENTER_PERFORMANCE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_mobilitycenter_performance",
name: "Microsoft-Windows-MobilityCenter/Performance",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-MobilityCenter\\Performance.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-MobilityCenter/Performance'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_DIAGNOSTICS: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_diagnostics",
name: "Diagnostics",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Diagnostics.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Diagnostics'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MANAGEMENTSERVICE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_managementservice",
name: "ManagementService",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\ManagementService.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'ManagementService'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_MOSHOST_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_moshost_operational",
name: "Microsoft-Windows-MosHost/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-MosHost\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-MosHost/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_MOSHOST_PERFORMANCE: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_moshost_performance",
name: "Microsoft-Windows-MosHost/Performance",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-MosHost\\Performance.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-MosHost/Performance'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_NOTIFICATION_CHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_notification_channel",
name: "Notification Channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Notification Channel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Notification Channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_MSLBFOPROVIDER_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_mslbfoprovider_operational",
name: "Microsoft-Windows-MsLbfoProvider/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-MsLbfoProvider\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-MsLbfoProvider/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_NCSI_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_ncsi_analytic",
name: "Microsoft-Windows-NCSI/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-NCSI\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-NCSI/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_NCSI_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_ncsi_operational",
name: "Microsoft-Windows-NCSI/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-NCSI\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-NCSI/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_NDIS_PACKETCAPTURE_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_ndis_packetcapture_diagnostic",
name: "Microsoft-Windows-NDIS-PacketCapture/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-NDIS-PacketCapture\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-NDIS-PacketCapture/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_NDIS_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_ndis_diagnostic",
name: "Microsoft-Windows-NDIS/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-NDIS\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-NDIS/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_NDIS_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_ndis_operational",
name: "Microsoft-Windows-NDIS/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-NDIS\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-NDIS/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_AUTHENTICATION_PROTECTEDUSERFAILURES: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_authentication_protecteduserfailures",
name: "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Authentication\\ProtectedUserFailures-DomainController.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_AUTHENTICATION_AUTHENTICATIONPOLICYFA: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_authentication_authenticationpolicyfa",
name: "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Authentication\\AuthenticationPolicyFailures-DomainController.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_NTLM_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_ntlm_operational",
name: "Microsoft-Windows-NTLM/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-NTLM\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-NTLM/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_NWIFI_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_nwifi_diagnostic",
name: "Microsoft-Windows-NWiFi/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-NWiFi\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-NWiFi/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_NARRATOR_INPROC_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_narrator_inproc_diagnostic",
name: "Microsoft-Windows-Narrator-Inproc/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Narrator-Inproc\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Narrator-Inproc/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_NARRATOR_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_narrator_diagnostic",
name: "Microsoft-Windows-Narrator/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Narrator\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Narrator/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_NCASVC_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_ncasvc_operational",
name: "Microsoft-Windows-Ncasvc/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Ncasvc\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Ncasvc/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_NCDAUTOSETUP_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_ncdautosetup_operational",
name: "Microsoft-Windows-NcdAutoSetup/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-NcdAutoSetup\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-NcdAutoSetup/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_NCDAUTOSETUP_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_ncdautosetup_diagnostic",
name: "Microsoft-Windows-NcdAutoSetup/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-NcdAutoSetup\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-NcdAutoSetup/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_NDISIMPLATFORM_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_ndisimplatform_operational",
name: "Microsoft-Windows-NdisImPlatform/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-NdisImPlatform\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-NdisImPlatform/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_NDU_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_ndu_diagnostic",
name: "Microsoft-Windows-Ndu/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Ndu\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Ndu/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_NETSHELL_PERFORMANCE: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_netshell_performance",
name: "Microsoft-Windows-NetShell/Performance",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-NetShell\\Performance.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-NetShell/Performance'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_NETWORK_CONNECTION_BROKER: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_network_connection_broker",
name: "Microsoft-Windows-Network-Connection-Broker",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Network-Connection-Broker.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Network-Connection-Broker'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_NETWORK_DATAUSAGE_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_network_datausage_analytic",
name: "Microsoft-Windows-Network-DataUsage/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Network-DataUsage\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Network-DataUsage/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_EXECUTION_CONTEXT_OPERATIONAL_CHANNEL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_execution_context_operational_channel",
name: "Execution Context Operational Channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Execution Context Operational Channel.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Execution Context Operational Channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_NETWORK_SETUP_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_network_setup_diagnostic",
name: "Microsoft-Windows-Network-Setup/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Network-Setup\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Network-Setup/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_NETWORK_AND_SHARING_CENTER_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_network_and_sharing_center_diagnostic",
name: "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Network-and-Sharing-Center\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Network-and-Sharing-Center/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_NETWORKACCESSPROTECTION_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_networkaccessprotection_operational",
name: "Microsoft-Windows-NetworkAccessProtection/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-NetworkAccessProtection\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-NetworkAccessProtection/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_NETWORKACCESSPROTECTION_WHC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_networkaccessprotection_whc",
name: "Microsoft-Windows-NetworkAccessProtection/WHC",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-NetworkAccessProtection\\WHC.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-NetworkAccessProtection/WHC'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_NETWORKBRIDGE_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_networkbridge_diagnostic",
name: "Microsoft-Windows-NetworkBridge/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-NetworkBridge\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-NetworkBridge/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_NETWORKPROFILE_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_networkprofile_operational",
name: "Microsoft-Windows-NetworkProfile/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-NetworkProfile\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-NetworkProfile/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_NETWORKPROFILE_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_networkprofile_diagnostic",
name: "Microsoft-Windows-NetworkProfile/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-NetworkProfile\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-NetworkProfile/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_NETWORKPROVIDER_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_networkprovider_operational",
name: "Microsoft-Windows-NetworkProvider/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-NetworkProvider\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-NetworkProvider/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_NETWORKPROVISIONING_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_networkprovisioning_analytic",
name: "Microsoft-Windows-NetworkProvisioning/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-NetworkProvisioning\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-NetworkProvisioning/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_NETWORKPROVISIONING_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_networkprovisioning_operational",
name: "Microsoft-Windows-NetworkProvisioning/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-NetworkProvisioning\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-NetworkProvisioning/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_NETWORKSECURITY_DEBUG: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_networksecurity_debug",
name: "Microsoft-Windows-NetworkSecurity/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-NetworkSecurity\\Debug.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-NetworkSecurity/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"Windows Security audit log; check Policy log for channel disable events",
],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "Event log rotates on size limit; Security channel is high-value",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_NETWORKSTATUS_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_networkstatus_analytic",
name: "Microsoft-Windows-NetworkStatus/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-NetworkStatus\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-NetworkStatus/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_NETWORKING_CORRELATION_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_networking_correlation_diagnostic",
name: "Microsoft-Windows-Networking-Correlation/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Networking-Correlation\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Networking-Correlation/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_NETWORKING_REALTIMECOMMUNICATION_TRAC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_networking_realtimecommunication_trac",
name: "Microsoft-Windows-Networking-RealTimeCommunication/Tracing",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Networking-RealTimeCommunication\\Tracing.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Networking-RealTimeCommunication/Tracing'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_NLASVC_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_nlasvc_diagnostic",
name: "Microsoft-Windows-NlaSvc/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-NlaSvc\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-NlaSvc/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_NLASVC_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_nlasvc_operational",
name: "Microsoft-Windows-NlaSvc/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-NlaSvc\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-NlaSvc/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_NTFS_PERFORMANCE: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_ntfs_performance",
name: "Microsoft-Windows-Ntfs/Performance",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Ntfs\\Performance.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Ntfs/Performance'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_NTFS_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_ntfs_operational",
name: "Microsoft-Windows-Ntfs/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Ntfs\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Ntfs/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_NTFS_WHC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_ntfs_whc",
name: "Microsoft-Windows-Ntfs/WHC",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Ntfs\\WHC.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Ntfs/WHC'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_NVDIMMN_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_nvdimmn_diagnostic",
name: "Microsoft-Windows-NvdimmN/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-NvdimmN\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-NvdimmN/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_NVDIMMN_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_nvdimmn_operational",
name: "Microsoft-Windows-NvdimmN/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-NvdimmN\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-NvdimmN/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_STORAGE_NVMEDISK_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_storage_nvmedisk_analytic",
name: "Microsoft-Windows-Storage-NvmeDisk/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Storage-NvmeDisk\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Storage-NvmeDisk/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_STORAGE_NVMEDISK_DIAGNOSE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_storage_nvmedisk_diagnose",
name: "Microsoft-Windows-Storage-NvmeDisk/Diagnose",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Storage-NvmeDisk\\Diagnose.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Storage-NvmeDisk/Diagnose'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_STORAGE_NVMEDISK_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_storage_nvmedisk_operational",
name: "Microsoft-Windows-Storage-NvmeDisk/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Storage-NvmeDisk\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Storage-NvmeDisk/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_OLE_CLIPBOARD_PERFORMANCE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_ole_clipboard_performance",
name: "Microsoft-Windows-OLE/Clipboard-Performance",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-OLE\\Clipboard-Performance.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-OLE/Clipboard-Performance'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_OLE_CLIPBOARD_DIAGNOSTICS: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_ole_clipboard_diagnostics",
name: "Microsoft-Windows-OLE/Clipboard-Diagnostics",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-OLE\\Clipboard-Diagnostics.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-OLE/Clipboard-Diagnostics'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_OLEACC_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_oleacc_diagnostic",
name: "Microsoft-Windows-OLEACC/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-OLEACC\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-OLEACC/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_OLEACC_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_oleacc_debug",
name: "Microsoft-Windows-OLEACC/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-OLEACC\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-OLEACC/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_OOBE_FIRSTLOGONANIM_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_oobe_firstlogonanim_diagnostic",
name: "Microsoft-Windows-OOBE-FirstLogonAnim/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-OOBE-FirstLogonAnim\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-OOBE-FirstLogonAnim/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_OOBE_MACHINE_CORE_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_oobe_machine_core_diagnostic",
name: "Microsoft-Windows-OOBE-Machine-Core/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-OOBE-Machine-Core\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-OOBE-Machine-Core/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_OOBE_MACHINE_DUI_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_oobe_machine_dui_diagnostic",
name: "Microsoft-Windows-OOBE-Machine-DUI/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-OOBE-Machine-DUI\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-OOBE-Machine-DUI/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_OOBE_MACHINE_DUI_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_oobe_machine_dui_operational",
name: "Microsoft-Windows-OOBE-Machine-DUI/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-OOBE-Machine-DUI\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-OOBE-Machine-DUI/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_OOBE_MACHINE_PLUGINS_WIRELESS_DIAGNOS: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_oobe_machine_plugins_wireless_diagnos",
name: "Microsoft-Windows-OOBE-Machine-Plugins-Wireless/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-OOBE-Machine-Plugins-Wireless\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-OOBE-Machine-Plugins-Wireless/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_OOBE_MACHINE_PLUGINS_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_oobe_machine_plugins_diagnostic",
name: "Microsoft-Windows-OOBE-Machine-Plugins/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-OOBE-Machine-Plugins\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-OOBE-Machine-Plugins/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_OOBE_MACHINE_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_oobe_machine_diagnostic",
name: "Microsoft-Windows-OOBE-Machine/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-OOBE-Machine\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-OOBE-Machine/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_SETUP: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_setup",
name: "Setup",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Setup.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Setup'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_OCP_UPDATE_AGENT_OPERATIONAL_CHANNEL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_ocp_update_agent_operational_channel",
name: "Ocp Update Agent operational channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Ocp Update Agent operational channel.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Ocp Update Agent operational channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_OFFLINEFILES_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_offlinefiles_operational",
name: "Microsoft-Windows-OfflineFiles/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-OfflineFiles\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-OfflineFiles/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_OFFLINEFILES_SYNCLOG: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_offlinefiles_synclog",
name: "Microsoft-Windows-OfflineFiles/SyncLog",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-OfflineFiles\\SyncLog.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-OfflineFiles/SyncLog'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_ONEBACKUP_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_onebackup_debug",
name: "Microsoft-Windows-OneBackup/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-OneBackup\\Debug.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-OneBackup/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_ONEX_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_onex_diagnostic",
name: "Microsoft-Windows-OneX/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-OneX\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-OneX/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_ONEX_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_onex_operational",
name: "Microsoft-Windows-OneX/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-OneX\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-OneX/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_OOBELDR_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_oobeldr_analytic",
name: "Microsoft-Windows-OobeLdr/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-OobeLdr\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-OobeLdr/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_OTPCREDENTIALPROVIDER_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_otpcredentialprovider_operational",
name: "Microsoft-Windows-OtpCredentialProvider/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-OtpCredentialProvider\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-OtpCredentialProvider/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_PCI_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_pci_operational",
name: "PCI Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\PCI Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'PCI Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PCI_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_pci_diagnostic",
name: "Microsoft-Windows-PCI/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PCI\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PCI/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_KERNEL_PDC_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_kernel_pdc_diagnostic",
name: "Microsoft-Windows-Kernel-Pdc/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Kernel-Pdc\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Kernel-Pdc/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_GLCND_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_glcnd_debug",
name: "Microsoft-Windows-glcnd/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-glcnd\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-glcnd/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_GLCND_ADMIN: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_glcnd_admin",
name: "Microsoft-Windows-glcnd/Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-glcnd\\Admin.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-glcnd/Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_GLCND_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_glcnd_diagnostic",
name: "Microsoft-Windows-glcnd/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-glcnd\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-glcnd/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PACKAGESTATEROAMING_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_packagestateroaming_operational",
name: "Microsoft-Windows-PackageStateRoaming/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PackageStateRoaming\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PackageStateRoaming/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PACKAGESTATEROAMING_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_packagestateroaming_debug",
name: "Microsoft-Windows-PackageStateRoaming/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PackageStateRoaming\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PackageStateRoaming/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PACKAGESTATEROAMING_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_packagestateroaming_analytic",
name: "Microsoft-Windows-PackageStateRoaming/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PackageStateRoaming\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PackageStateRoaming/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PARENTALCONTROLS_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_parentalcontrols_operational",
name: "Microsoft-Windows-ParentalControls/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-ParentalControls\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-ParentalControls/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PARENTALCONTROLS_TELEMETRY_OPERATIONA: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_parentalcontrols_telemetry_operationa",
name: "Microsoft-Windows-ParentalControls-Telemetry/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-ParentalControls-Telemetry\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-ParentalControls-Telemetry/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PARENTALCONTROLS_TELEMETRY_AUDITING: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_parentalcontrols_telemetry_auditing",
name: "Microsoft-Windows-ParentalControls-Telemetry/Auditing",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-ParentalControls-Telemetry\\Auditing.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-ParentalControls-Telemetry/Auditing'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PARTITION_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_partition_diagnostic",
name: "Microsoft-Windows-Partition/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Partition\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Partition/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PARTITION_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_partition_analytic",
name: "Microsoft-Windows-Partition/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Partition\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Partition/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PARTITION_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_partition_debug",
name: "Microsoft-Windows-Partition/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Partition\\Debug.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Partition/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PEERTOPEERDRTEVENTPROVIDER_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_peertopeerdrteventprovider_diagnostic",
name: "Microsoft-Windows-PeerToPeerDrtEventProvider/DiagnosticChannel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PeerToPeerDrtEventProvider\\DiagnosticChannel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PeerToPeerDrtEventProvider/DiagnosticChannel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_INVDIMM_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_persistentmemory_invdimm_operational",
name: "Microsoft-Windows-PersistentMemory-INvdimm/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PersistentMemory-INvdimm\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PersistentMemory-INvdimm/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_INVDIMM_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_persistentmemory_invdimm_diagnostic",
name: "Microsoft-Windows-PersistentMemory-INvdimm/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PersistentMemory-INvdimm\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PersistentMemory-INvdimm/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_NVDIMM_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_persistentmemory_nvdimm_operational",
name: "Microsoft-Windows-PersistentMemory-Nvdimm/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PersistentMemory-Nvdimm\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PersistentMemory-Nvdimm/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_NVDIMM_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_persistentmemory_nvdimm_diagnostic",
name: "Microsoft-Windows-PersistentMemory-Nvdimm/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PersistentMemory-Nvdimm\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PersistentMemory-Nvdimm/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_NVDIMMN_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_persistentmemory_nvdimmn_diagnostic",
name: "Microsoft-Windows-PersistentMemory-NvdimmN/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PersistentMemory-NvdimmN\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PersistentMemory-NvdimmN/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_NVDIMMN_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_persistentmemory_nvdimmn_operational",
name: "Microsoft-Windows-PersistentMemory-NvdimmN/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PersistentMemory-NvdimmN\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PersistentMemory-NvdimmN/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_PMEMDISK_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_persistentmemory_pmemdisk_analytic",
name: "Microsoft-Windows-PersistentMemory-PmemDisk/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PersistentMemory-PmemDisk\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PersistentMemory-PmemDisk/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_PMEMDISK_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_persistentmemory_pmemdisk_diagnostic",
name: "Microsoft-Windows-PersistentMemory-PmemDisk/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PersistentMemory-PmemDisk\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PersistentMemory-PmemDisk/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_PMEMDISK_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_persistentmemory_pmemdisk_operational",
name: "Microsoft-Windows-PersistentMemory-PmemDisk/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PersistentMemory-PmemDisk\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PersistentMemory-PmemDisk/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_SCMBUS_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_persistentmemory_scmbus_analytic",
name: "Microsoft-Windows-PersistentMemory-ScmBus/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PersistentMemory-ScmBus\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PersistentMemory-ScmBus/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_SCMBUS_DIAGNOSE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_persistentmemory_scmbus_diagnose",
name: "Microsoft-Windows-PersistentMemory-ScmBus/Diagnose",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PersistentMemory-ScmBus\\Diagnose.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PersistentMemory-ScmBus/Diagnose'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_SCMBUS_CERTIFICATION: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_persistentmemory_scmbus_certification",
name: "Microsoft-Windows-PersistentMemory-ScmBus/Certification",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PersistentMemory-ScmBus\\Certification.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PersistentMemory-ScmBus/Certification'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_SCMBUS_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_persistentmemory_scmbus_operational",
name: "Microsoft-Windows-PersistentMemory-ScmBus/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PersistentMemory-ScmBus\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PersistentMemory-ScmBus/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_VIRTUALNVDIMM_OPERAT: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_persistentmemory_virtualnvdimm_operat",
name: "Microsoft-Windows-PersistentMemory-VirtualNvdimm/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PersistentMemory-VirtualNvdimm\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PersistentMemory-VirtualNvdimm/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PERSISTENTMEMORY_VIRTUALNVDIMM_DIAGNO: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_persistentmemory_virtualnvdimm_diagno",
name: "Microsoft-Windows-PersistentMemory-VirtualNvdimm/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PersistentMemory-VirtualNvdimm\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PersistentMemory-VirtualNvdimm/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_WINDOWS_WMPHOTO_CHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_windows_wmphoto_channel",
name: "WINDOWS_WMPHOTO_CHANNEL",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\WINDOWS_WMPHOTO_CHANNEL.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'WINDOWS_WMPHOTO_CHANNEL'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PHOTOACQ_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_photoacq_analytic",
name: "Microsoft-Windows-PhotoAcq/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PhotoAcq\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PhotoAcq/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PLAYTOMANAGER_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_playtomanager_analytic",
name: "Microsoft-Windows-PlayToManager/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PlayToManager\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PlayToManager/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PMEMDISK_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_pmemdisk_analytic",
name: "Microsoft-Windows-PmemDisk/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PmemDisk\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PmemDisk/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PMEMDISK_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_pmemdisk_diagnostic",
name: "Microsoft-Windows-PmemDisk/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PmemDisk\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PmemDisk/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PMEMDISK_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_pmemdisk_operational",
name: "Microsoft-Windows-PmemDisk/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PmemDisk\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PmemDisk/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PORTABLEDEVICESTATUSPROVIDER_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_portabledevicestatusprovider_analytic",
name: "Microsoft-Windows-PortableDeviceStatusProvider/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PortableDeviceStatusProvider\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PortableDeviceStatusProvider/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PORTABLEDEVICESYNCPROVIDER_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_portabledevicesyncprovider_analytic",
name: "Microsoft-Windows-PortableDeviceSyncProvider/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PortableDeviceSyncProvider\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PortableDeviceSyncProvider/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_POWER_METER_POLLING_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_power_meter_polling_diagnostic",
name: "Microsoft-Windows-Power-Meter-Polling/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Power-Meter-Polling\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Power-Meter-Polling/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_POWERCFG_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_powercfg_diagnostic",
name: "Microsoft-Windows-PowerCfg/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PowerCfg\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PowerCfg/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_POWERCPL_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_powercpl_diagnostic",
name: "Microsoft-Windows-PowerCpl/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PowerCpl\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PowerCpl/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_POWERSHELL_DESIREDSTATECONFIGURATION: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_powershell_desiredstateconfiguration",
name: "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_POWERSHELL_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_powershell_operational",
name: "Microsoft-Windows-PowerShell/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PowerShell\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PowerShell/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_POWERSHELL_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_powershell_analytic",
name: "Microsoft-Windows-PowerShell/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PowerShell\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PowerShell/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_POWERSHELL_DEBUG: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_powershell_debug",
name: "Microsoft-Windows-PowerShell/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PowerShell\\Debug.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PowerShell/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PRIRESOURCES_DEPLOYMENT_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_priresources_deployment_diagnostic",
name: "Microsoft-Windows-PriResources-Deployment/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PriResources-Deployment\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PriResources-Deployment/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PRIRESOURCES_DEPLOYMENT_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_priresources_deployment_operational",
name: "Microsoft-Windows-PriResources-Deployment/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PriResources-Deployment\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PriResources-Deployment/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PRIMARYNETWORKICON_PERFORMANCE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_primarynetworkicon_performance",
name: "Microsoft-Windows-PrimaryNetworkIcon/Performance",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PrimaryNetworkIcon\\Performance.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PrimaryNetworkIcon/Performance'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_NETWORKLOCATIONWIZARD_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_networklocationwizard_operational",
name: "Microsoft-Windows-NetworkLocationWizard/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-NetworkLocationWizard\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-NetworkLocationWizard/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PRINTDIALOGS_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_printdialogs_analytic",
name: "Microsoft-Windows-PrintDialogs/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PrintDialogs\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PrintDialogs/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PRINTDIALOGS3D_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_printdialogs3d_analytic",
name: "Microsoft-Windows-PrintDialogs3D/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PrintDialogs3D\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PrintDialogs3D/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PRINTSPOOLER_CORE_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_printspooler_core_analytic",
name: "Microsoft-Windows-PrintSpooler/Core-Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PrintSpooler\\Core-Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PrintSpooler/Core-Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PRINTSPOOLER_CORE_DEBUG: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_printspooler_core_debug",
name: "Microsoft-Windows-PrintSpooler/Core-Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PrintSpooler\\Core-Debug.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PrintSpooler/Core-Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PRIVACY_AUDITING_PERMISSIVELEARNINGMO: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_privacy_auditing_permissivelearningmo",
name: "Microsoft-Windows-Privacy-Auditing-PermissiveLearningMode/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Privacy-Auditing-PermissiveLearningMode\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Privacy-Auditing-PermissiveLearningMode/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PROCESSSTATEMANAGER_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_processstatemanager_diagnostic",
name: "Microsoft-Windows-ProcessStateManager/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-ProcessStateManager\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-ProcessStateManager/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PROGRAM_COMPATIBILITY_ASSISTANT_OPERA: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_program_compatibility_assistant_opera",
name: "Microsoft-Windows-Program-Compatibility-Assistant/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Program-Compatibility-Assistant/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PROXIMITY_COMMON_PERFORMANCE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_proximity_common_performance",
name: "Microsoft-Windows-Proximity-Common/Performance",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Proximity-Common\\Performance.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Proximity-Common/Performance'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PROXIMITY_COMMON_INFORMATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_proximity_common_informational",
name: "Microsoft-Windows-Proximity-Common/Informational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Proximity-Common\\Informational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Proximity-Common/Informational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PROXIMITY_COMMON_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_proximity_common_diagnostic",
name: "Microsoft-Windows-Proximity-Common/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Proximity-Common\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Proximity-Common/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PUSHNOTIFICATIONS_DEVELOPER_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_pushnotifications_developer_debug",
name: "Microsoft-Windows-PushNotifications-Developer/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PushNotifications-Developer\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PushNotifications-Developer/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PUSHNOTIFICATIONS_INPROC_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_pushnotifications_inproc_debug",
name: "Microsoft-Windows-PushNotifications-InProc/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PushNotifications-InProc\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PushNotifications-InProc/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PUSHNOTIFICATIONS_PLATFORM_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_pushnotifications_platform_debug",
name: "Microsoft-Windows-PushNotifications-Platform/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PushNotifications-Platform\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PushNotifications-Platform/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PUSHNOTIFICATIONS_PLATFORM_OPERATIONA: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_pushnotifications_platform_operationa",
name: "Microsoft-Windows-PushNotifications-Platform/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PushNotifications-Platform\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PushNotifications-Platform/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_PUSHNOTIFICATIONS_PLATFORM_ADMIN: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_pushnotifications_platform_admin",
name: "Microsoft-Windows-PushNotifications-Platform/Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-PushNotifications-Platform\\Admin.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-PushNotifications-Platform/Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_QOS_PACER_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_qos_pacer_diagnostic",
name: "Microsoft-Windows-QoS-Pacer/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-QoS-Pacer\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-QoS-Pacer/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_QOS_PACER_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_qos_pacer_debug",
name: "Microsoft-Windows-QoS-Pacer/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-QoS-Pacer\\Debug.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-QoS-Pacer/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_QOS_QWAVE_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_qos_qwave_debug",
name: "Microsoft-Windows-QoS-qWAVE/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-QoS-qWAVE\\Debug.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-QoS-qWAVE/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_EEINFO: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_eeinfo",
name: "EEInfo",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\EEInfo.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'EEInfo'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_ADMIN_CHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_admin_channel",
name: "Admin Channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Admin Channel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Admin Channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_RTWORKQUEUE_EXTENDED: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_rtworkqueue_extended",
name: "RTWorkQueue Extended",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\RTWorkQueue Extended.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'RTWorkQueue Extended'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_RTWORKQUEUE_THREADING: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_rtworkqueue_threading",
name: "RTWorkQueue Threading",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\RTWorkQueue Threading.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'RTWorkQueue Threading'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_RADIOMANAGER_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_radiomanager_analytic",
name: "Microsoft-Windows-RadioManager/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-RadioManager\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-RadioManager/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_RAS_NDISWANPACKETCAPTURE_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_ras_ndiswanpacketcapture_diagnostic",
name: "Microsoft-Windows-Ras-NdisWanPacketCapture/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Ras-NdisWanPacketCapture\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Ras-NdisWanPacketCapture/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_REFS_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_refs_operational",
name: "Microsoft-Windows-ReFS/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-ReFS\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-ReFS/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_REFSDEDUPSVC_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_refsdedupsvc_operational",
name: "Microsoft-Windows-ReFsDedupSvc/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-ReFsDedupSvc\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-ReFsDedupSvc/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_READYBOOST_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_readyboost_analytic",
name: "Microsoft-Windows-ReadyBoost/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-ReadyBoost\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-ReadyBoost/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_READYBOOSTDRIVER_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_readyboostdriver_analytic",
name: "Microsoft-Windows-ReadyBoostDriver/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-ReadyBoostDriver\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-ReadyBoostDriver/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_READYBOOSTDRIVER_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_readyboostdriver_operational",
name: "Microsoft-Windows-ReadyBoostDriver/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-ReadyBoostDriver\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-ReadyBoostDriver/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_RECOVERY_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_recovery_operational",
name: "Microsoft-Windows-Recovery/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Recovery\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Recovery/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_RELIABILITYANALYSISCOMPONENT_OPERATIO: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_reliabilityanalysiscomponent_operatio",
name: "Microsoft-Windows-ReliabilityAnalysisComponent/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-ReliabilityAnalysisComponent\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-ReliabilityAnalysisComponent/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_METRICS: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_metrics",
name: "Metrics",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Metrics.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Metrics'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_REMOTEAPP_AND_DESKTOP_CONNECTIONS_ADM: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_remoteapp_and_desktop_connections_adm",
name: "Microsoft-Windows-RemoteApp and Desktop Connections/Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-RemoteApp and Desktop Connections\\Admin.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-RemoteApp and Desktop Connections/Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_REMOTEAPP_AND_DESKTOP_CONNECTIONS_OPE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_remoteapp_and_desktop_connections_ope",
name: "Microsoft-Windows-RemoteApp and Desktop Connections/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-RemoteApp and Desktop Connections\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-RemoteApp and Desktop Connections/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_REMOTEASSISTANCE_TRACING: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_remoteassistance_tracing",
name: "Microsoft-Windows-RemoteAssistance/Tracing",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-RemoteAssistance\\Tracing.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-RemoteAssistance/Tracing'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_REMOTEASSISTANCE_ADMIN: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_remoteassistance_admin",
name: "Microsoft-Windows-RemoteAssistance/Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-RemoteAssistance\\Admin.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-RemoteAssistance/Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_REMOTEASSISTANCE_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_remoteassistance_operational",
name: "Microsoft-Windows-RemoteAssistance/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-RemoteAssistance\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-RemoteAssistance/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_REMOTEDESKTOPSERVICES_RDPCORETS_ADMIN: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_remotedesktopservices_rdpcorets_admin",
name: "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-RemoteDesktopServices-RdpCoreTS\\Admin.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_REMOTEDESKTOPSERVICES_RDPCORETS_OPERA: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_remotedesktopservices_rdpcorets_opera",
name: "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-RemoteDesktopServices-RdpCoreTS\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_REMOTEDESKTOPSERVICES_RDPCORETS_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_remotedesktopservices_rdpcorets_debug",
name: "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-RemoteDesktopServices-RdpCoreTS\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_REMOTEDESKTOPSERVICES_REMOTEFX_VM_KER: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_remotedesktopservices_remotefx_vm_ker",
name: "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-Kernel-Mode-Transport/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-Kernel-Mode-Transport\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-Kernel-Mode-Transport/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_REMOTEDESKTOPSERVICES_REMOTEFX_VM_USE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_remotedesktopservices_remotefx_vm_use",
name: "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-User-Mode-Transport/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-User-Mode-Transport\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-User-Mode-Transport/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_REMOTEDESKTOPSERVICES_SESSIONSERVICES: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_remotedesktopservices_sessionservices",
name: "Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-RemoteDesktopServices-SessionServices\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_REMOTEFS_RDBSS_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_remotefs_rdbss_diagnostic",
name: "Microsoft-Windows-Remotefs-Rdbss/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Remotefs-Rdbss\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Remotefs-Rdbss/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_REMOTEFS_RDBSS_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_remotefs_rdbss_operational",
name: "Microsoft-Windows-Remotefs-Rdbss/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Remotefs-Rdbss\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Remotefs-Rdbss/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_REMOTEFS_UTPROVIDER_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_remotefs_utprovider_diagnostic",
name: "Microsoft-Windows-Remotefs-UTProvider/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Remotefs-UTProvider\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Remotefs-UTProvider/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_RESETENG_TRACE_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_reseteng_trace_diagnostic",
name: "Microsoft-Windows-ResetEng-Trace/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-ResetEng-Trace\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-ResetEng-Trace/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_RESOURCE_EXHAUSTION_DETECTOR_OPERATIO: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_resource_exhaustion_detector_operatio",
name: "Microsoft-Windows-Resource-Exhaustion-Detector/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Resource-Exhaustion-Detector/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_RESOURCE_EXHAUSTION_RESOLVER_OPERATIO: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_resource_exhaustion_resolver_operatio",
name: "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Resource-Exhaustion-Resolver\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Resource-Exhaustion-Resolver/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_RESOURCE_LEAK_DIAGNOSTIC_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_resource_leak_diagnostic_operational",
name: "Microsoft-Windows-Resource-Leak-Diagnostic/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Resource-Leak-Diagnostic\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Resource-Leak-Diagnostic/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_RESOURCEPUBLICATION_TRACING: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_resourcepublication_tracing",
name: "Microsoft-Windows-ResourcePublication/Tracing",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-ResourcePublication\\Tracing.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-ResourcePublication/Tracing'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_RESTARTMANAGER_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_restartmanager_operational",
name: "Microsoft-Windows-RestartManager/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-RestartManager\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-RestartManager/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_RUNTIME_GRAPHICS_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_runtime_graphics_analytic",
name: "Microsoft-Windows-Runtime-Graphics/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Runtime-Graphics\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Runtime-Graphics/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_RUNTIME_WINDOWS_MEDIA_WINRTCAPTUREENG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_runtime_windows_media_winrtcaptureeng",
name: "Microsoft-Windows-Runtime-Windows-Media/WinRTCaptureEngine",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Runtime-Windows-Media\\WinRTCaptureEngine.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Runtime-Windows-Media/WinRTCaptureEngine'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_RUNTIME_WINDOWS_MEDIA_WINRTTRANSCODE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_runtime_windows_media_winrttranscode",
name: "Microsoft-Windows-Runtime-Windows-Media/WinRTTranscode",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Runtime-Windows-Media\\WinRTTranscode.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Runtime-Windows-Media/WinRTTranscode'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_RUNTIME_WINDOWS_MEDIA_WINRTMEDIASTREA: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_runtime_windows_media_winrtmediastrea",
name: "Microsoft-Windows-Runtime-Windows-Media/WinRTMediaStreamSource",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Runtime-Windows-Media\\WinRTMediaStreamSource.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Runtime-Windows-Media/WinRTMediaStreamSource'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_RUNTIME_WINDOWS_MEDIA_WINRTADAPTIVEME: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_runtime_windows_media_winrtadaptiveme",
name: "Microsoft-Windows-Runtime-Windows-Media/WinRTAdaptiveMediaSource",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Runtime-Windows-Media\\WinRTAdaptiveMediaSource.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Runtime-Windows-Media/WinRTAdaptiveMediaSource'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_RUNTIME_NETWORKING_BACKGROUNDTRANSFER: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_runtime_networking_backgroundtransfer",
name: "Microsoft-Windows-Runtime-Networking-BackgroundTransfer/Tracing",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Runtime-Networking-BackgroundTransfer\\Tracing.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Runtime-Networking-BackgroundTransfer/Tracing'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_RUNTIME_NETWORKING_TRACING: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_runtime_networking_tracing",
name: "Microsoft-Windows-Runtime-Networking/Tracing",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Runtime-Networking\\Tracing.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Runtime-Networking/Tracing'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_RUNTIME_WEB_HTTP_TRACING: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_runtime_web_http_tracing",
name: "Microsoft-Windows-Runtime-Web-Http/Tracing",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Runtime-Web-Http\\Tracing.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Runtime-Web-Http/Tracing'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_RUNTIME_WEBAPI_TRACING: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_runtime_webapi_tracing",
name: "Microsoft-Windows-Runtime-WebAPI/Tracing",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Runtime-WebAPI\\Tracing.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Runtime-WebAPI/Tracing'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SENSE_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_sense_operational",
name: "Microsoft-Windows-SENSE/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SENSE\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SENSE/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SMBCLIENT_HELPERCLASSDIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_smbclient_helperclassdiagnostic",
name: "Microsoft-Windows-SMBClient/HelperClassDiagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SMBClient\\HelperClassDiagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SMBClient/HelperClassDiagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SMBCLIENT_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_smbclient_diagnostic",
name: "Microsoft-Windows-SMBClient/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SMBClient\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SMBClient/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SMBCLIENT_XPERFANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_smbclient_xperfanalytic",
name: "Microsoft-Windows-SMBClient/XPerfAnalytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SMBClient\\XPerfAnalytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SMBClient/XPerfAnalytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SMBCLIENT_OBJECTSTATEDIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_smbclient_objectstatediagnostic",
name: "Microsoft-Windows-SMBClient/ObjectStateDiagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SMBClient\\ObjectStateDiagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SMBClient/ObjectStateDiagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SMBCLIENT_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_smbclient_operational",
name: "Microsoft-Windows-SMBClient/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SMBClient\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SMBClient/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SMBCLIENT_CONNECTIVITY: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_smbclient_connectivity",
name: "Microsoft-Windows-SMBClient/Connectivity",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SMBClient\\Connectivity.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SMBClient/Connectivity'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SMBCLIENT_SECURITY: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_smbclient_security",
name: "Microsoft-Windows-SMBClient/Security",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SMBClient\\Security.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SMBClient/Security'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"Windows Security audit log; check Policy log for channel disable events",
],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "Event log rotates on size limit; Security channel is high-value",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SMBCLIENT_AUDIT: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_smbclient_audit",
name: "Microsoft-Windows-SMBClient/Audit",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SMBClient\\Audit.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SMBClient/Audit'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SMBDIRECT_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_smbdirect_operational",
name: "Microsoft-Windows-SMBDirect/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SMBDirect\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SMBDirect/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SMBDIRECT_ADMIN: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_smbdirect_admin",
name: "Microsoft-Windows-SMBDirect/Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SMBDirect\\Admin.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SMBDirect/Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SMBDIRECT_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_smbdirect_debug",
name: "Microsoft-Windows-SMBDirect/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SMBDirect\\Debug.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SMBDirect/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SMBDIRECT_CONNECTIVITY: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_smbdirect_connectivity",
name: "Microsoft-Windows-SMBDirect/Connectivity",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SMBDirect\\Connectivity.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SMBDirect/Connectivity'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SMBDIRECT_NETMON: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_smbdirect_netmon",
name: "Microsoft-Windows-SMBDirect/Netmon",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SMBDirect\\Netmon.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SMBDirect/Netmon'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SMBSERVER_PERFORMANCE: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_smbserver_performance",
name: "Microsoft-Windows-SMBServer/Performance",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SMBServer\\Performance.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SMBServer/Performance'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SMBSERVER_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_smbserver_analytic",
name: "Microsoft-Windows-SMBServer/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SMBServer\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SMBServer/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SMBSERVER_SECURITY: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_smbserver_security",
name: "Microsoft-Windows-SMBServer/Security",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SMBServer\\Security.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SMBServer/Security'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"Windows Security audit log; check Policy log for channel disable events",
],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "Event log rotates on size limit; Security channel is high-value",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SMBSERVER_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_smbserver_operational",
name: "Microsoft-Windows-SMBServer/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SMBServer\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SMBServer/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SMBSERVER_CONNECTIVITY: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_smbserver_connectivity",
name: "Microsoft-Windows-SMBServer/Connectivity",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SMBServer\\Connectivity.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SMBServer/Connectivity'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SMBSERVER_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_smbserver_diagnostic",
name: "Microsoft-Windows-SMBServer/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SMBServer\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SMBServer/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SMBSERVER_AUDIT: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_smbserver_audit",
name: "Microsoft-Windows-SMBServer/Audit",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SMBServer\\Audit.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SMBServer/Audit'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SMBWITNESSCLIENT_ADMIN: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_smbwitnessclient_admin",
name: "Microsoft-Windows-SMBWitnessClient/Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SMBWitnessClient\\Admin.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SMBWitnessClient/Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_WITNESSCLIENTADMIN: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_witnessclientadmin",
name: "WitnessClientAdmin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\WitnessClientAdmin.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'WitnessClientAdmin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SMBWITNESSCLIENT_INFORMATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_smbwitnessclient_informational",
name: "Microsoft-Windows-SMBWitnessClient/Informational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SMBWitnessClient\\Informational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SMBWitnessClient/Informational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SCHANNEL_EVENTS_PERF: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_schannel_events_perf",
name: "Microsoft-Windows-Schannel-Events/Perf",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Schannel-Events\\Perf.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Schannel-Events/Perf'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SCMBUS_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_scmbus_analytic",
name: "Microsoft-Windows-ScmBus/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-ScmBus\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-ScmBus/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SCMBUS_DIAGNOSE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_scmbus_diagnose",
name: "Microsoft-Windows-ScmBus/Diagnose",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-ScmBus\\Diagnose.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-ScmBus/Diagnose'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SCMBUS_CERTIFICATION: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_scmbus_certification",
name: "Microsoft-Windows-ScmBus/Certification",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-ScmBus\\Certification.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-ScmBus/Certification'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SCMDISK0101_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_scmdisk0101_analytic",
name: "Microsoft-Windows-ScmDisk0101/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-ScmDisk0101\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-ScmDisk0101/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SCMDISK0101_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_scmdisk0101_diagnostic",
name: "Microsoft-Windows-ScmDisk0101/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-ScmDisk0101\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-ScmDisk0101/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SCMDISK0101_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_scmdisk0101_operational",
name: "Microsoft-Windows-ScmDisk0101/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-ScmDisk0101\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-ScmDisk0101/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SDBUS_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_sdbus_analytic",
name: "Microsoft-Windows-Sdbus/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Sdbus\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Sdbus/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SDBUS_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_sdbus_debug",
name: "Microsoft-Windows-Sdbus/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Sdbus\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Sdbus/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SDSTOR_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_sdstor_analytic",
name: "Microsoft-Windows-Sdstor/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Sdstor\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Sdstor/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SEARCH_CORE_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_search_core_diagnostic",
name: "Microsoft-Windows-Search-Core/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Search-Core\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Search-Core/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SEARCH_PROTOCOLHANDLERS_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_search_protocolhandlers_diagnostic",
name: "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Search-ProtocolHandlers\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Search-ProtocolHandlers/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SECURITY_ADMINLESS_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_security_adminless_operational",
name: "Microsoft-Windows-Security-Adminless/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Security-Adminless\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Security-Adminless/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Windows Security audit log; check Policy log for channel disable events"],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "Event log rotates on size limit; Security channel is high-value",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SECURITY_AUDIT_CONFIGURATION_CLIENT_D: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_security_audit_configuration_client_d",
name: "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Security-Audit-Configuration-Client\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Windows Security audit log; check Policy log for channel disable events"],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "Event log rotates on size limit; Security channel is high-value",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SECURITY_AUDIT_CONFIGURATION_CLIENT_O: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_security_audit_configuration_client_o",
name: "Microsoft-Windows-Security-Audit-Configuration-Client/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Security-Audit-Configuration-Client\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Security-Audit-Configuration-Client/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Windows Security audit log; check Policy log for channel disable events"],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "Event log rotates on size limit; Security channel is high-value",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SECURITY_CONFIGURATION_WIZARD_DIAGNOS: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_security_configuration_wizard_diagnos",
name: "Microsoft-Windows-Security-Configuration-Wizard/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Security-Configuration-Wizard\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Security-Configuration-Wizard/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Windows Security audit log; check Policy log for channel disable events"],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "Event log rotates on size limit; Security channel is high-value",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SECURITY_CONFIGURATION_WIZARD_OPERATI: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_security_configuration_wizard_operati",
name: "Microsoft-Windows-Security-Configuration-Wizard/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Security-Configuration-Wizard\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Security-Configuration-Wizard/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Windows Security audit log; check Policy log for channel disable events"],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "Event log rotates on size limit; Security channel is high-value",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SECURITY_ENTERPRISEDATA_FILEREVOCATIO: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_security_enterprisedata_filerevocatio",
name: "Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Security-EnterpriseData-FileRevocationManager\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Windows Security audit log; check Policy log for channel disable events"],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "Event log rotates on size limit; Security channel is high-value",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SECURITY_EXCHANGEACTIVESYNCPROVISIONI: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_security_exchangeactivesyncprovisioni",
name: "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Performance",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Security-ExchangeActiveSyncProvisioning\\Performance.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Performance'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Windows Security audit log; check Policy log for channel disable events"],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "Event log rotates on size limit; Security channel is high-value",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SECURITY_IDENTITYSTORE_PERFORMANCE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_security_identitystore_performance",
name: "Microsoft-Windows-Security-IdentityStore/Performance",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Security-IdentityStore\\Performance.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Security-IdentityStore/Performance'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Windows Security audit log; check Policy log for channel disable events"],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "Event log rotates on size limit; Security channel is high-value",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SECURITY_LESSPRIVILEGEDAPPCONTAINER_O: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_security_lessprivilegedappcontainer_o",
name: "Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Security-LessPrivilegedAppContainer\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Windows Security audit log; check Policy log for channel disable events"],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "Event log rotates on size limit; Security channel is high-value",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SECURITY_LICENSING_SLC_PERF: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_security_licensing_slc_perf",
name: "Microsoft-Windows-Security-Licensing-SLC/Perf",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Security-Licensing-SLC\\Perf.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Security-Licensing-SLC/Perf'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Windows Security audit log; check Policy log for channel disable events"],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "Event log rotates on size limit; Security channel is high-value",
};
pub(crate) static EVTX_KERNEL_MODE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_kernel_mode",
name: "Kernel Mode",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Kernel Mode.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Kernel Mode'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_USER_MODE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_user_mode",
name: "User Mode",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\User Mode.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'User Mode'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SECURITY_NETLOGON_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_security_netlogon_operational",
name: "Microsoft-Windows-Security-Netlogon/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Security-Netlogon\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Security-Netlogon/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Windows Security audit log; check Policy log for channel disable events"],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "Event log rotates on size limit; Security channel is high-value",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SECURITY_SPP_UX_GC_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_security_spp_ux_gc_analytic",
name: "Microsoft-Windows-Security-SPP-UX-GC/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Security-SPP-UX-GC\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Security-SPP-UX-GC/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Windows Security audit log; check Policy log for channel disable events"],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "Event log rotates on size limit; Security channel is high-value",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SECURITY_SPP_UX_GENUINECENTER_LOGGING: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_security_spp_ux_genuinecenter_logging",
name: "Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Windows Security audit log; check Policy log for channel disable events"],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "Event log rotates on size limit; Security channel is high-value",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SECURITY_SPP_UX_NOTIFICATIONS_ACTIONC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_security_spp_ux_notifications_actionc",
name: "Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Security-SPP-UX-Notifications\\ActionCenter.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Windows Security audit log; check Policy log for channel disable events"],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "Event log rotates on size limit; Security channel is high-value",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SECURITY_SPP_UX_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_security_spp_ux_analytic",
name: "Microsoft-Windows-Security-SPP-UX/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Security-SPP-UX\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Security-SPP-UX/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Windows Security audit log; check Policy log for channel disable events"],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "Event log rotates on size limit; Security channel is high-value",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SECURITY_SPP_PERF: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_security_spp_perf",
name: "Microsoft-Windows-Security-SPP/Perf",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Security-SPP\\Perf.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Security-SPP/Perf'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"Windows Security audit log; check Policy log for channel disable events",
],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "Event log rotates on size limit; Security channel is high-value",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SECURITY_USERCONSENTVERIFIER_AUDIT: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_security_userconsentverifier_audit",
name: "Microsoft-Windows-Security-UserConsentVerifier/Audit",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Security-UserConsentVerifier\\Audit.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Security-UserConsentVerifier/Audit'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Windows Security audit log; check Policy log for channel disable events"],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "Event log rotates on size limit; Security channel is high-value",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SECURITY_VAULT_PERFORMANCE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_security_vault_performance",
name: "Microsoft-Windows-Security-Vault/Performance",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Security-Vault\\Performance.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Security-Vault/Performance'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Windows Security audit log; check Policy log for channel disable events"],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "Event log rotates on size limit; Security channel is high-value",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SECURITYMITIGATIONSBROKER_PERF: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_securitymitigationsbroker_perf",
name: "Microsoft-Windows-SecurityMitigationsBroker/Perf",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SecurityMitigationsBroker\\Perf.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SecurityMitigationsBroker/Perf'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Windows Security audit log; check Policy log for channel disable events"],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "Event log rotates on size limit; Security channel is high-value",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SECURITYMITIGATIONSBROKER_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_securitymitigationsbroker_operational",
name: "Microsoft-Windows-SecurityMitigationsBroker/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SecurityMitigationsBroker\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SecurityMitigationsBroker/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Windows Security audit log; check Policy log for channel disable events"],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "Event log rotates on size limit; Security channel is high-value",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SECURITYMITIGATIONSBROKER_ADMIN: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_securitymitigationsbroker_admin",
name: "Microsoft-Windows-SecurityMitigationsBroker/Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SecurityMitigationsBroker\\Admin.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SecurityMitigationsBroker/Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["Windows Security audit log; check Policy log for channel disable events"],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "Event log rotates on size limit; Security channel is high-value",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SENDTO_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_sendto_diagnostic",
name: "Microsoft-Windows-SendTo/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SendTo\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SendTo/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SENSEIR_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_senseir_operational",
name: "Microsoft-Windows-SenseIR/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SenseIR\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SenseIR/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SERVER_FOR_NFS_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_server_for_nfs_operational",
name: "Microsoft-Windows-Server For NFS/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Server For NFS\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Server For NFS/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_DEPLOY: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_deploy",
name: "Deploy",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Deploy.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Deploy'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SERVERMANAGER_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_servermanager_operational",
name: "Microsoft-Windows-ServerManager/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-ServerManager\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-ServerManager/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SERVICE_REPORTING_API_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_service_reporting_api_debug",
name: "Microsoft-Windows-Service Reporting API/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Service Reporting API\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Service Reporting API/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SERVICES_SVCHOST_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_services_svchost_diagnostic",
name: "Microsoft-Windows-Services-Svchost/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Services-Svchost\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Services-Svchost/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SERVICES_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_services_diagnostic",
name: "Microsoft-Windows-Services/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Services\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Services/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SERVICING_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_servicing_debug",
name: "Microsoft-Windows-Servicing/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Servicing\\Debug.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Servicing/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SETTINGSYNC_AZURE_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_settingsync_azure_operational",
name: "Microsoft-Windows-SettingSync-Azure/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SettingSync-Azure\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SettingSync-Azure/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SETTINGSYNC_AZURE_DEBUG: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_settingsync_azure_debug",
name: "Microsoft-Windows-SettingSync-Azure/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SettingSync-Azure\\Debug.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SettingSync-Azure/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SETTINGSYNC_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_settingsync_operational",
name: "Microsoft-Windows-SettingSync/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SettingSync\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SettingSync/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SETTINGSYNC_DEBUG: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_settingsync_debug",
name: "Microsoft-Windows-SettingSync/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SettingSync\\Debug.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SettingSync/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SETTINGSYNC_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_settingsync_analytic",
name: "Microsoft-Windows-SettingSync/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SettingSync\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SettingSync/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SETTINGSYNC_ONEDRIVE_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_settingsync_onedrive_analytic",
name: "Microsoft-Windows-SettingSync-OneDrive/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SettingSync-OneDrive\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SettingSync-OneDrive/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SETTINGSYNC_VERBOSEDEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_settingsync_verbosedebug",
name: "Microsoft-Windows-SettingSync/VerboseDebug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SettingSync\\VerboseDebug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SettingSync/VerboseDebug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SETUP_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_setup_analytic",
name: "Microsoft-Windows-Setup/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Setup\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Setup/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SETUPCL_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_setupcl_analytic",
name: "Microsoft-Windows-SetupCl/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SetupCl\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SetupCl/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SETUPPLATFORM_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_setupplatform_analytic",
name: "Microsoft-Windows-SetupPlatform/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SetupPlatform\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SetupPlatform/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SETUPQUEUE_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_setupqueue_analytic",
name: "Microsoft-Windows-SetupQueue/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SetupQueue\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SetupQueue/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SETUPUGC_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_setupugc_analytic",
name: "Microsoft-Windows-SetupUGC/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SetupUGC\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SetupUGC/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SHAREMEDIA_CONTROLPANEL_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_sharemedia_controlpanel_diagnostic",
name: "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-ShareMedia-ControlPanel\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SHELL_APPWIZCPL_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_shell_appwizcpl_diagnostic",
name: "Microsoft-Windows-Shell-AppWizCpl/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Shell-AppWizCpl\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Shell-AppWizCpl/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_AUTHENTICATION_USER_INTERFACE_OPERATI: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_authentication_user_interface_operati",
name: "Microsoft-Windows-Authentication User Interface/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Authentication User Interface\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Authentication User Interface/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SHELL_AUTHUI_COMMON_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_shell_authui_common_diagnostic",
name: "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Shell-AuthUI-Common\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Shell-AuthUI-Common/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SHELL_AUTHUI_LOGONUI_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_shell_authui_logonui_diagnostic",
name: "Microsoft-Windows-Shell-AuthUI-LogonUI/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Shell-AuthUI-LogonUI\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Shell-AuthUI-LogonUI/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SHELL_AUTHUI_LOGON_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_shell_authui_logon_diagnostic",
name: "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Shell-AuthUI-Logon\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SHELL_AUTHUI_CREDUI_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_shell_authui_credui_diagnostic",
name: "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Shell-AuthUI-CredUI\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SHELL_AUTHUI_SHUTDOWN_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_shell_authui_shutdown_diagnostic",
name: "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Shell-AuthUI-Shutdown\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SHELL_AUTHUI_CREDENTIALPROVIDERUSER_D: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_shell_authui_credentialprovideruser_d",
name: "Microsoft-Windows-Shell-AuthUI-CredentialProviderUser/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Shell-AuthUI-CredentialProviderUser\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Shell-AuthUI-CredentialProviderUser/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SHELL_AUTHUI_PASSWORDPROVIDER_DIAGNOS: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_shell_authui_passwordprovider_diagnos",
name: "Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Shell-AuthUI-PasswordProvider\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SHELL_AUTHUI_BOOTANIM_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_shell_authui_bootanim_diagnostic",
name: "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Shell-AuthUI-BootAnim\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SHELL_AUTHUI_PASSWORDPROVIDER_BOOTANI: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_shell_authui_passwordprovider_bootani",
name: "Microsoft-Windows-Shell-AuthUI-PasswordProvider/BootAnim",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Shell-AuthUI-PasswordProvider\\BootAnim.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Shell-AuthUI-PasswordProvider/BootAnim'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SHELL_CONNECTEDACCOUNTSTATE_ACTIONCEN: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_shell_connectedaccountstate_actioncen",
name: "Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Shell-ConnectedAccountState\\ActionCenter.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SHELL_CORE_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_shell_core_diagnostic",
name: "Microsoft-Windows-Shell-Core/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Shell-Core\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Shell-Core/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SHELL_CORE_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_shell_core_operational",
name: "Microsoft-Windows-Shell-Core/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Shell-Core\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Shell-Core/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SHELL_CORE_LOGONTASKSCHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_shell_core_logontaskschannel",
name: "Microsoft-Windows-Shell-Core/LogonTasksChannel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Shell-Core\\LogonTasksChannel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Shell-Core/LogonTasksChannel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SHELL_CORE_APPDEFAULTS: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_shell_core_appdefaults",
name: "Microsoft-Windows-Shell-Core/AppDefaults",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Shell-Core\\AppDefaults.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Shell-Core/AppDefaults'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SHELL_CORE_ACTIONCENTER: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_shell_core_actioncenter",
name: "Microsoft-Windows-Shell-Core/ActionCenter",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Shell-Core\\ActionCenter.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Shell-Core/ActionCenter'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SHELL_DEFAULTPROGRAMS_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_shell_defaultprograms_diagnostic",
name: "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Shell-DefaultPrograms\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Shell-DefaultPrograms/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SHELL_LOCKSCREENCONTENT_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_shell_lockscreencontent_diagnostic",
name: "Microsoft-Windows-Shell-LockScreenContent/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Shell-LockScreenContent\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Shell-LockScreenContent/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SHELL_OPENWITH_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_shell_openwith_diagnostic",
name: "Microsoft-Windows-Shell-OpenWith/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Shell-OpenWith\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Shell-OpenWith/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SHELL_SEARCH_URIHANDLER: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_shell_search_urihandler",
name: "Microsoft-Windows-Shell-Search-UriHandler",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Shell-Search-UriHandler.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Shell-Search-UriHandler'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SHELL_SHWEBSVC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_shell_shwebsvc",
name: "Microsoft-Windows-Shell-Shwebsvc",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Shell-Shwebsvc.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Shell-Shwebsvc'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SHELL_ZIPFOLDER_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_shell_zipfolder_diagnostic",
name: "Microsoft-Windows-Shell-ZipFolder/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Shell-ZipFolder\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Shell-ZipFolder/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SHELLCOMMON_STARTLAYOUTPOPULATION_OPE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_shellcommon_startlayoutpopulation_ope",
name: "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-ShellCommon-StartLayoutPopulation\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SHELLCOMMON_STARTLAYOUTPOPULATION_DIA: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_shellcommon_startlayoutpopulation_dia",
name: "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-ShellCommon-StartLayoutPopulation\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-ShellCommon-StartLayoutPopulation/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SHSVCS_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_shsvcs_diagnostic",
name: "Microsoft-Windows-Shsvcs/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Shsvcs\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Shsvcs/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SIDEBAR_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_sidebar_diagnostic",
name: "Microsoft-Windows-Sidebar/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Sidebar\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Sidebar/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SLEEPSTUDY_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_sleepstudy_diagnostic",
name: "Microsoft-Windows-SleepStudy/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SleepStudy\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SleepStudy/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SMARTCARD_AUDIT_AUTHENTICATION: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_smartcard_audit_authentication",
name: "Microsoft-Windows-SmartCard-Audit/Authentication",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SmartCard-Audit\\Authentication.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SmartCard-Audit/Authentication'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SMARTCARD_DEVICEENUM_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_smartcard_deviceenum_operational",
name: "Microsoft-Windows-SmartCard-DeviceEnum/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SmartCard-DeviceEnum\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SmartCard-DeviceEnum/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SMARTCARD_TPM_VCARD_MODULE_ADMIN: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_smartcard_tpm_vcard_module_admin",
name: "Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SmartCard-TPM-VCard-Module\\Admin.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SMARTCARD_TPM_VCARD_MODULE_OPERATIONA: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_smartcard_tpm_vcard_module_operationa",
name: "Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SmartCard-TPM-VCard-Module\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SMARTSCREEN_DEBUG: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_smartscreen_debug",
name: "Microsoft-Windows-SmartScreen/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SmartScreen\\Debug.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SmartScreen/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SMBHASHGENERATION_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_smbhashgeneration_operational",
name: "Microsoft-Windows-SMBHashGeneration/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SMBHashGeneration\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SMBHashGeneration/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SMBHASHGENERATION_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_smbhashgeneration_analytic",
name: "Microsoft-Windows-SMBHashGeneration/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SMBHashGeneration\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SMBHashGeneration/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_SMBWMIANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_smbwmianalytic",
name: "SmbWmiAnalytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\SmbWmiAnalytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'SmbWmiAnalytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_TTS_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_tts_diagnostic",
name: "Microsoft-Windows-TTS/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-TTS\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-TTS/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SPEECH_USEREXPERIENCE_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_speech_userexperience_diagnostic",
name: "Microsoft-Windows-Speech-UserExperience/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Speech-UserExperience\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Speech-UserExperience/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SPELL_CHECKING_FACILITY_ANALYTIC_CHAN: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_spell_checking_facility_analytic_chan",
name: "Microsoft Windows Spell Checking Facility Analytic Channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft Windows Spell Checking Facility Analytic Channel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft Windows Spell Checking Facility Analytic Channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SPELLCHECKER_ANALYTIC_CHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_spellchecker_analytic_channel",
name: "Microsoft Windows Spellchecker Analytic Channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft Windows Spellchecker Analytic Channel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft Windows Spellchecker Analytic Channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SPELL_CHECKING_HOST_ANALYTIC_CHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_spell_checking_host_analytic_channel",
name: "Microsoft Windows Spell Checking Host Analytic Channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft Windows Spell Checking Host Analytic Channel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft Windows Spell Checking Host Analytic Channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SRUMON_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_srumon_diagnostic",
name: "Microsoft-Windows-SruMon/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SruMon\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SruMon/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SRUMTELEMETRY: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_srumtelemetry",
name: "Microsoft-Windows-SrumTelemetry",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SrumTelemetry.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SrumTelemetry'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_STATEREPOSITORY_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_staterepository_operational",
name: "Microsoft-Windows-StateRepository/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-StateRepository\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-StateRepository/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_STATEREPOSITORY_DEBUG: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_staterepository_debug",
name: "Microsoft-Windows-StateRepository/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-StateRepository\\Debug.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-StateRepository/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_STATEREPOSITORY_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_staterepository_diagnostic",
name: "Microsoft-Windows-StateRepository/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-StateRepository\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-StateRepository/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_STICKYNOTES_DEBUG: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_stickynotes_debug",
name: "Microsoft-Windows-StickyNotes/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-StickyNotes\\Debug.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-StickyNotes/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_STICKYNOTES_ADMIN: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_stickynotes_admin",
name: "Microsoft-Windows-StickyNotes/Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-StickyNotes\\Admin.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-StickyNotes/Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_STICKYNOTES_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_stickynotes_diagnostic",
name: "Microsoft-Windows-StickyNotes/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-StickyNotes\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-StickyNotes/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_STORDIAG_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_stordiag_operational",
name: "Microsoft-Windows-StorDiag/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-StorDiag\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-StorDiag/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_STORAGE_CLASSPNP_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_storage_classpnp_analytic",
name: "Microsoft-Windows-Storage-ClassPnP/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Storage-ClassPnP\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Storage-ClassPnP/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_STORAGE_CLASSPNP_DIAGNOSE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_storage_classpnp_diagnose",
name: "Microsoft-Windows-Storage-ClassPnP/Diagnose",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Storage-ClassPnP\\Diagnose.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Storage-ClassPnP/Diagnose'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_STORAGE_CLASSPNP_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_storage_classpnp_operational",
name: "Microsoft-Windows-Storage-ClassPnP/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Storage-ClassPnP\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Storage-ClassPnP/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_STORPORT_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_storport_operational",
name: "Microsoft-Windows-StorPort/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-StorPort\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-StorPort/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_STORAGE_STORPORT_DIAGNOSE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_storage_storport_diagnose",
name: "Microsoft-Windows-Storage-Storport/Diagnose",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Storage-Storport\\Diagnose.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Storage-Storport/Diagnose'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_STORAGE_STORPORT_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_storage_storport_analytic",
name: "Microsoft-Windows-Storage-Storport/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Storage-Storport\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Storage-Storport/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_STORAGE_STORPORT_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_storage_storport_operational",
name: "Microsoft-Windows-Storage-Storport/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Storage-Storport\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Storage-Storport/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_STORAGE_STORPORT_HEALTH: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_storage_storport_health",
name: "Microsoft-Windows-Storage-Storport/Health",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Storage-Storport\\Health.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Storage-Storport/Health'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_TIERING_HEAT_MEASUREMENT_CHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_tiering_heat_measurement_channel",
name: "Tiering Heat Measurement Channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Tiering Heat Measurement Channel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Tiering Heat Measurement Channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_STORAGE_TIERING_ADMIN: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_storage_tiering_admin",
name: "Microsoft-Windows-Storage-Tiering/Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Storage-Tiering\\Admin.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Storage-Tiering/Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_STORAGEMANAGEMENT_PARTUTIL_OPERATIONA: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_storagemanagement_partutil_operationa",
name: "Microsoft-Windows-StorageManagement-PartUtil/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-StorageManagement-PartUtil\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-StorageManagement-PartUtil/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_STORAGEMANAGEMENT_DEBUG: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_storagemanagement_debug",
name: "Microsoft-Windows-StorageManagement/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-StorageManagement\\Debug.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-StorageManagement/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_STORAGEMANAGEMENT_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_storagemanagement_operational",
name: "Microsoft-Windows-StorageManagement/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-StorageManagement\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-StorageManagement/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_STORAGESETTINGS_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_storagesettings_diagnostic",
name: "Microsoft-Windows-StorageSettings/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-StorageSettings\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-StorageSettings/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_STORAGESPACES_API_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_storagespaces_api_operational",
name: "Microsoft-Windows-StorageSpaces-Api/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-StorageSpaces-Api\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-StorageSpaces-Api/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_STORAGESPACES_DRIVER_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_storagespaces_driver_operational",
name: "Microsoft-Windows-StorageSpaces-Driver/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-StorageSpaces-Driver\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-StorageSpaces-Driver/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_STORAGESPACES_DRIVER_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_storagespaces_driver_diagnostic",
name: "Microsoft-Windows-StorageSpaces-Driver/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-StorageSpaces-Driver\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-StorageSpaces-Driver/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_STORAGESPACES_DRIVER_PERFORMANCE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_storagespaces_driver_performance",
name: "Microsoft-Windows-StorageSpaces-Driver/Performance",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-StorageSpaces-Driver\\Performance.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-StorageSpaces-Driver/Performance'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_STORAGESPACES_MANAGEMENTAGENT_WHC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_storagespaces_managementagent_whc",
name: "Microsoft-Windows-StorageSpaces-ManagementAgent/WHC",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-StorageSpaces-ManagementAgent\\WHC.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-StorageSpaces-ManagementAgent/WHC'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_STORAGESPACES_PARSER_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_storagespaces_parser_operational",
name: "Microsoft-Windows-StorageSpaces-Parser/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-StorageSpaces-Parser\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-StorageSpaces-Parser/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_STORAGESPACES_PARSER_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_storagespaces_parser_diagnostic",
name: "Microsoft-Windows-StorageSpaces-Parser/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-StorageSpaces-Parser\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-StorageSpaces-Parser/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_STORAGESPACES_SPACEMANAGER_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_storagespaces_spacemanager_diagnostic",
name: "Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-StorageSpaces-SpaceManager\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_STORAGESPACES_SPACEMANAGER_OPERATIONA: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_storagespaces_spacemanager_operationa",
name: "Microsoft-Windows-StorageSpaces-SpaceManager/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-StorageSpaces-SpaceManager\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-StorageSpaces-SpaceManager/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_STORAGEVOLUME_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_storagevolume_operational",
name: "Microsoft-Windows-StorageVolume/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-StorageVolume\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-StorageVolume/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_STORSVC_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_storsvc_diagnostic",
name: "Microsoft-Windows-Storsvc/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Storsvc\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Storsvc/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SUBSYS_CSR_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_subsys_csr_operational",
name: "Microsoft-Windows-Subsys-Csr/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Subsys-Csr\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Subsys-Csr/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SUBSYS_SMSS_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_subsys_smss_operational",
name: "Microsoft-Windows-Subsys-SMSS/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Subsys-SMSS\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Subsys-SMSS/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SUDO_ADMIN: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_sudo_admin",
name: "Microsoft-Windows-Sudo/Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Sudo\\Admin.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Sudo/Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SUPERFETCH_AGMCLOG: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_superfetch_agmclog",
name: "Microsoft-Windows-Superfetch/AgmcLog",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Superfetch\\AgmcLog.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Superfetch/AgmcLog'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MEMORY_COOLING_OPERATIONAL_CHANNEL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_memory_cooling_operational_channel",
name: "Memory cooling operational channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Memory cooling operational channel.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Memory cooling operational channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SUPERFETCH_PFAPLOG: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_superfetch_pfaplog",
name: "Microsoft-Windows-Superfetch/PfApLog",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Superfetch\\PfApLog.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Superfetch/PfApLog'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SYSPREP_ANALYTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_sysprep_analytic",
name: "Microsoft-Windows-Sysprep/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Sysprep\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Sysprep/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SYSTEM_PROFILE_HARDWAREID_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_system_profile_hardwareid_diagnostic",
name: "Microsoft-Windows-System-Profile-HardwareId/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-System-Profile-HardwareId\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-System-Profile-HardwareId/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SYSTEMDATAARCHIVER_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_systemdataarchiver_diagnostic",
name: "Microsoft-Windows-SystemDataArchiver/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SystemDataArchiver\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SystemDataArchiver/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SYSTEMHEALTHAGENT_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_systemhealthagent_diagnostic",
name: "Microsoft-Windows-SystemHealthAgent/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SystemHealthAgent\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SystemHealthAgent/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SYSTEMSETTINGS_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_systemsettings_diagnostic",
name: "Microsoft-Windows-SystemSettings/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SystemSettings\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SystemSettings/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SYSTEMSETTINGS_DEBUG: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_systemsettings_debug",
name: "Microsoft-Windows-SystemSettings/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SystemSettings\\Debug.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SystemSettings/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SYSTEMSETTINGS_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_systemsettings_operational",
name: "Microsoft-Windows-SystemSettings/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SystemSettings\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SystemSettings/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SYSTEMSETTINGSHANDLERS_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_systemsettingshandlers_debug",
name: "Microsoft-Windows-SystemSettingsHandlers/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SystemSettingsHandlers\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SystemSettingsHandlers/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SYSTEMSETTINGSTHRESHOLD_DIAGNOSTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_systemsettingsthreshold_diagnostic",
name: "Microsoft-Windows-SystemSettingsThreshold/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SystemSettingsThreshold\\Diagnostic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SystemSettingsThreshold/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SYSTEMSETTINGSTHRESHOLD_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_systemsettingsthreshold_debug",
name: "Microsoft-Windows-SystemSettingsThreshold/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SystemSettingsThreshold\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SystemSettingsThreshold/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SYSTEMSETTINGSTHRESHOLD_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_systemsettingsthreshold_operational",
name: "Microsoft-Windows-SystemSettingsThreshold/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SystemSettingsThreshold\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SystemSettingsThreshold/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_SYSTEMSETTINGSV2_INFORMATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_systemsettingsv2_informational",
name: "Microsoft-Windows-SystemSettingsV2/Informational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-SystemSettingsV2\\Informational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-SystemSettingsV2/Informational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_TCPIP_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_tcpip_diagnostic",
name: "Microsoft-Windows-TCPIP/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-TCPIP\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-TCPIP/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_UIMANAGER_CHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_uimanager_channel",
name: "UIManager_Channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\UIManager_Channel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'UIManager_Channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_TSF_MSCTF_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_tsf_msctf_diagnostic",
name: "Microsoft-Windows-TSF-msctf/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-TSF-msctf\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-TSF-msctf/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_TSF_MSUTB_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_tsf_msutb_diagnostic",
name: "Microsoft-Windows-TSF-msutb/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-TSF-msutb\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-TSF-msutb/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_TZSYNC_OPERATIONAL: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_tzsync_operational",
name: "Microsoft-Windows-TZSync/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-TZSync\\Operational.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-TZSync/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_TZSYNC_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_tzsync_analytic",
name: "Microsoft-Windows-TZSync/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-TZSync\\Analytic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-TZSync/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_TABLETPC_INPUTPANEL_CHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_tabletpc_inputpanel_channel",
name: "TabletPC_InputPanel_Channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\TabletPC_InputPanel_Channel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'TabletPC_InputPanel_Channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_OSK_SOFTKEYBOARD_CHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_osk_softkeyboard_channel",
name: "OSK_SoftKeyboard_Channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\OSK_SoftKeyboard_Channel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'OSK_SoftKeyboard_Channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_TABLETPC_INPUTPANEL_CHANNEL_IHM: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_tabletpc_inputpanel_channel_ihm",
name: "TabletPC_InputPanel_Channel/IHM",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\TabletPC_InputPanel_Channel\\IHM.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'TabletPC_InputPanel_Channel/IHM'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_IHM_DEBUGCHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_ihm_debugchannel",
name: "IHM_DebugChannel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\IHM_DebugChannel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'IHM_DebugChannel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_PHYSICAL_KEYBOARD_MANAGER_CHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_physical_keyboard_manager_channel",
name: "Physical_Keyboard_Manager_Channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Physical_Keyboard_Manager_Channel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Physical_Keyboard_Manager_Channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MAINTENANCE: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_maintenance",
name: "Maintenance",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Maintenance.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Maintenance'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_TASKBARCPL_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_taskbarcpl_diagnostic",
name: "Microsoft-Windows-TaskbarCPL/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-TaskbarCPL\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-TaskbarCPL/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_TENANTRESTRICTIONS_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_tenantrestrictions_operational",
name: "Microsoft-Windows-TenantRestrictions/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-TenantRestrictions\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-TenantRestrictions/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_RDPCLIENT_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_terminalservices_rdpclient_debug",
name: "Microsoft-Windows-TerminalServices-RDPClient/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-TerminalServices-RDPClient\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-TerminalServices-RDPClient/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_RDPCLIENT_OPERATIONA: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_terminalservices_rdpclient_operationa",
name: "Microsoft-Windows-TerminalServices-RDPClient/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-TerminalServices-RDPClient\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-TerminalServices-RDPClient/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_RDPCLIENT_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_terminalservices_rdpclient_analytic",
name: "Microsoft-Windows-TerminalServices-RDPClient/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-TerminalServices-RDPClient\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-TerminalServices-RDPClient/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_GATEWAY_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_terminalservices_gateway_operational",
name: "Microsoft-Windows-TerminalServices-Gateway/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-TerminalServices-Gateway\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-TerminalServices-Gateway/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_GATEWAY_ADMIN: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_terminalservices_gateway_admin",
name: "Microsoft-Windows-TerminalServices-Gateway/Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-TerminalServices-Gateway\\Admin.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-TerminalServices-Gateway/Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_GATEWAY_TRACING: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_terminalservices_gateway_tracing",
name: "Microsoft-Windows-TerminalServices-Gateway/Tracing",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-TerminalServices-Gateway\\Tracing.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-TerminalServices-Gateway/Tracing'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_GATEWAY_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_terminalservices_gateway_analytic",
name: "Microsoft-Windows-TerminalServices-Gateway/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-TerminalServices-Gateway\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-TerminalServices-Gateway/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_LICENSING_ADMIN: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_terminalservices_licensing_admin",
name: "Microsoft-Windows-TerminalServices-Licensing/Admin",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-TerminalServices-Licensing\\Admin.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-TerminalServices-Licensing/Admin'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_LOCALSESSIONMANAGER: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_terminalservices_localsessionmanager",
name: "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-TerminalServices-LocalSessionManager/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_MEDIAREDIRECTION_ANA: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_terminalservices_mediaredirection_ana",
name: "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-TerminalServices-MediaRedirection\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-TerminalServices-MediaRedirection/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_RDPSOUNDDRIVER_PLAYB: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_terminalservices_rdpsounddriver_playb",
name: "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-TerminalServices-RdpSoundDriver\\Playback.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_RDPSOUNDDRIVER_CAPTU: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_terminalservices_rdpsounddriver_captu",
name: "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-TerminalServices-RdpSoundDriver\\Capture.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_REMOTECONNECTIONMANA: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_terminalservices_remoteconnectionmana",
name: "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager\\Debug.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_TERMINALSERVICES_SESSIONBROKER_CLIENT: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_terminalservices_sessionbroker_client",
name: "Microsoft-Windows-TerminalServices-SessionBroker-Client/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-TerminalServices-SessionBroker-Client\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-TerminalServices-SessionBroker-Client/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_TETHERING_MANAGER_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_tethering_manager_analytic",
name: "Microsoft-Windows-Tethering-Manager/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Tethering-Manager\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Tethering-Manager/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_TETHERING_STATION_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_tethering_station_analytic",
name: "Microsoft-Windows-Tethering-Station/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Tethering-Station\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Tethering-Station/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_THEMECPL_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_themecpl_diagnostic",
name: "Microsoft-Windows-ThemeCPL/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-ThemeCPL\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-ThemeCPL/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_THEMEUI_DIAGNOSTIC: ArtifactDescriptor =
ArtifactDescriptor {
id: "evtx_microsoft_windows_themeui_diagnostic",
name: "Microsoft-Windows-ThemeUI/Diagnostic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-ThemeUI\\Diagnostic.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-ThemeUI/Diagnostic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_THREAT_INTELLIGENCE_ANALYTIC: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_threat_intelligence_analytic",
name: "Microsoft-Windows-Threat-Intelligence/Analytic",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Threat-Intelligence\\Analytic.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Threat-Intelligence/Analytic'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_TIME_SERVICE_PTP_PROVIDER_PTP_OPERATI: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_time_service_ptp_provider_ptp_operati",
name: "Microsoft-Windows-Time-Service-PTP-Provider/PTP-Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Time-Service-PTP-Provider\\PTP-Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Time-Service-PTP-Provider/PTP-Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_MICROSOFT_WINDOWS_TIME_SERVICE_OPERATIONAL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_microsoft_windows_time_service_operational",
name: "Microsoft-Windows-Time-Service/Operational",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-Time-Service\\Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Microsoft-Windows-Time-Service/Operational'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static EVTX_TUNNEL_DRIVER_ETW_CHANNEL: ArtifactDescriptor = ArtifactDescriptor {
id: "evtx_tunnel_driver_etw_channel",
name: "Tunnel Driver Etw Channel",
artifact_type: ArtifactType::EventLog,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%SystemRoot%\\System32\\winevt\\Logs\\Tunnel Driver Etw Channel.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Log channel 'Tunnel Driver Etw Channel'.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/nasbench/EVTX-ETW-Resources"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};