After upgrading Windows 10 to the latest version: - Event ID 6417 is missing the event description and the field names.
2017 Feb 24 12:18:43 WinEvtLog: Security: AUDIT_SUCCESS(6417): Microsoft- Windows-Security-Auditing: (no user): no domain: Hostname: 0x38a0 C:\Windows \System32\wbem\WmiPrvSE.exe The event description is: "The FIPS module crypto selftests succeeded.", "0x38a0" is the process ID, and "C:\Windows\System32\wbem\WmiPrvSE.exe" the process name. I would probably filter these events (but that is no excuse to have description and field name chopped off), logging failures only -- which would qualify as suspicious. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
