Elastic Windows Event Explorer


Publisher - Microsoft-Windows-EDP-Audit-TCB

Event ID 101

Message:

Enterprise %{PreviousEnterpriseId} tag has been removed (%{Policy}) from the file: %{FilePath}

Event Data:

# Name In Type
Out Type
1 UserId win:SID xs:string
2 Policy win:UnicodeString xs:string
3 Justification win:UnicodeString xs:string
4 PreviousEnterpriseId win:UnicodeString xs:string
5 FilePath win:UnicodeString xs:string

Observed Windows Versions:

Version: 0

Fingerprint: PKRQ5IZHKY4KY