"Microsoft-Windows-CertificationAuthority" is not the event log - it is source of events from Application log

Question

"Microsoft-Windows-CertificationAuthority" is not the event log - it is source of events from Application log

vburov opened this issue 6 years ago · 3 comments

There is an error exists in "Windows Event Monitoring Guidance\Recommended Events to Collect" document (https://github.com/nsacyber/Event-Forwarding-Guidance/tree/master/Events), in table from "Certificate Services" section. Wrong event log specified for event id = 90. "Microsoft-Windows-CertificationAuthority" is not the event log - it is source of events from Application log.

Answer 1 · 2019-04-12T16:53:26.000Z

Updated the documentation (9c29e75). The event exists as part Active Directory Certificate Services. Once this role is installed, you can verify the event (plus others) with:
wevtutil.exe gp Microsoft-Windows-CertificationAuthority /gm:true /ge:true

Answer 2 · 2019-04-12T17:15:38.000Z

@iadgovuser8 Don't forget to update the csv and json files here too. :)

Answer 3 · 2019-04-12T17:28:20.000Z

Accepted PR updating JSON 6e92d62