Microsoft-Windows-SenseIR
14 events across 1 channel
| Event | Title | Channel | Sample |
|---|---|---|---|
| 1 | Starting action ActionType. | Operational | Y |
| 2 | Failed to run action ActionType. | Operational | Y |
| 3 | Succeeded to run action ActionType. | Operational | Y |
| 4 | Windows Defender Advanced Threat Protection Incident Response executable … | Operational | Y |
| 5 | Windows Defender Advanced Threat Protection Incident Response executable … | Operational | Y |
| 7 | Windows Defender Advanced Threat Protection Incident Response requested … | Operational | Y |
| 8 | Encountered unexpected error while getting actions from AIRS server. | Operational | Y |
| 9 | Found the caller of Windows Defender Advanced Threat Protection Incident … | Operational | N |
| 10 | Failed to deserialize Windows Defender Advanced Threat Protection Incident … | Operational | N |
| 11 | Finished uploading results of action ActionType. | Operational | Y |
| 12 | Failed to deserialize actions, received invalid actions from AIRS server. | Operational | N |
| 13 | Failed to execute AIRS request. | Operational | Y |
| 14 | Starting to upload results of action ActionType. | Operational | Y |
| 15 | Failure during action ActionType. | Operational | Y |
Event ID 1: Starting action ActionType.
#Description
Starting action ActionType. Action ID: ActionId.
Message #
Fields #
| Name | Description |
|---|---|
ActionType UnicodeString | |
ActionId UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SenseIR",
"guid": "B6D775EF-1436-4FE6-BAD3-9E436319E218",
"event_source_name": "",
"event_id": 1,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-12T02:41:59.104484+00:00",
"event_record_id": 815,
"correlation": {},
"execution": {
"process_id": 1944,
"thread_id": 12132
},
"channel": "Microsoft-Windows-SenseIR/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ActionType": "RunPSScriptAction",
"ActionId": "93514365-7ff3-4f5e-9dfd-7eb9f6b779a7"
},
"message": ""
}
Event ID 2: Failed to run action ActionType.
#Description
Failed to run action ActionType. Action ID: ActionId, error code: HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
ActionType UnicodeString | |
ActionId UnicodeString | |
HRESULT HexInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SenseIR",
"guid": "B6D775EF-1436-4FE6-BAD3-9E436319E218",
"event_source_name": "",
"event_id": 2,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T20:02:06.749860+00:00",
"event_record_id": 1018,
"correlation": {},
"execution": {
"process_id": 8048,
"thread_id": 992
},
"channel": "Microsoft-Windows-SenseIR/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ActionType": "CleanResourceAction",
"ActionId": "iaid_530_quarantine_file__12_1773431280",
"HRESULT": "0xffffffff80070002"
},
"message": ""
}
Event ID 3: Succeeded to run action ActionType.
#Description
Succeeded to run action ActionType. Action ID: ActionId.
Message #
Fields #
| Name | Description |
|---|---|
ActionType UnicodeString | |
ActionId UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SenseIR",
"guid": "B6D775EF-1436-4FE6-BAD3-9E436319E218",
"event_source_name": "",
"event_id": 3,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-12T02:42:08.083911+00:00",
"event_record_id": 816,
"correlation": {},
"execution": {
"process_id": 1944,
"thread_id": 12132
},
"channel": "Microsoft-Windows-SenseIR/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ActionType": "RunPSScriptAction",
"ActionId": "93514365-7ff3-4f5e-9dfd-7eb9f6b779a7"
},
"message": ""
}
Event ID 4: Windows Defender Advanced Threat Protection Incident Response executable started.
#Description
Windows Defender Advanced Threat Protection Incident Response executable started.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SenseIR",
"guid": "B6D775EF-1436-4FE6-BAD3-9E436319E218",
"event_source_name": "",
"event_id": 4,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-12T02:41:49.103469+00:00",
"event_record_id": 814,
"correlation": {},
"execution": {
"process_id": 1944,
"thread_id": 12172
},
"channel": "Microsoft-Windows-SenseIR/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 5: Windows Defender Advanced Threat Protection Incident Response executable terminated.
#Description
Windows Defender Advanced Threat Protection Incident Response executable terminated. Exit code: HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
HRESULT HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SenseIR",
"guid": "B6D775EF-1436-4FE6-BAD3-9E436319E218",
"event_source_name": "",
"event_id": 5,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-12T03:03:00.145455+00:00",
"event_record_id": 817,
"correlation": {},
"execution": {
"process_id": 1944,
"thread_id": 12172
},
"channel": "Microsoft-Windows-SenseIR/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"HRESULT": "0x0"
},
"message": ""
}
Event ID 7: Windows Defender Advanced Threat Protection Incident Response requested registration as an AIRS client.
#Description
Windows Defender Advanced Threat Protection Incident Response requested registration as an AIRS client. Result code: HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
HRESULT HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SenseIR",
"guid": "B6D775EF-1436-4FE6-BAD3-9E436319E218",
"event_source_name": "",
"event_id": 7,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-02-12T18:57:10.188267+00:00",
"event_record_id": 187,
"correlation": {},
"execution": {
"process_id": 8368,
"thread_id": 13932
},
"channel": "Microsoft-Windows-SenseIR/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"HRESULT": "0x0"
},
"message": ""
}
Event ID 8: Encountered unexpected error while getting actions from AIRS server.
#Description
Encountered unexpected error while getting actions from AIRS server. Error code: HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
HRESULT HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SenseIR",
"guid": "B6D775EF-1436-4FE6-BAD3-9E436319E218",
"event_source_name": "",
"event_id": 8,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-02-11T02:39:06.603116+00:00",
"event_record_id": 175,
"correlation": {},
"execution": {
"process_id": 4196,
"thread_id": 6052
},
"channel": "Microsoft-Windows-SenseIR/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"HRESULT": "0x801901f6"
},
"message": ""
}
Event ID 9: Found the caller of Windows Defender Advanced Threat Protection Incident Response executable to be invalid.
#Event ID 10: Failed to deserialize Windows Defender Advanced Threat Protection Incident Response parameters.
#Event ID 11: Finished uploading results of action ActionType.
#Description
Finished uploading results of action ActionType. Action ID: ActionId, upload result code: HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
ActionType UnicodeString | |
ActionId UnicodeString | |
HRESULT HexInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SenseIR",
"guid": "B6D775EF-1436-4FE6-BAD3-9E436319E218",
"event_source_name": "",
"event_id": 11,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-02-12T19:04:10.450886+00:00",
"event_record_id": 255,
"correlation": {},
"execution": {
"process_id": 8368,
"thread_id": 11100
},
"channel": "Microsoft-Windows-SenseIR/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ActionType": "ReadFileAction",
"ActionId": "iaid_252_read_file__7_1770923045",
"HRESULT": "0x0"
},
"message": ""
}
Event ID 12: Failed to deserialize actions, received invalid actions from AIRS server.
#Event ID 13: Failed to execute AIRS request.
#Description
Failed to execute AIRS request. Error code: HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
HRESULT HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SenseIR",
"guid": "B6D775EF-1436-4FE6-BAD3-9E436319E218",
"event_source_name": "",
"event_id": 13,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-02-11T02:39:06.603071+00:00",
"event_record_id": 174,
"correlation": {},
"execution": {
"process_id": 4196,
"thread_id": 6052
},
"channel": "Microsoft-Windows-SenseIR/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"HRESULT": "0x801901f6"
},
"message": ""
}
Event ID 14: Starting to upload results of action ActionType.
#Description
Starting to upload results of action ActionType. Action ID: ActionId.
Message #
Fields #
| Name | Description |
|---|---|
ActionType UnicodeString | |
ActionId UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SenseIR",
"guid": "B6D775EF-1436-4FE6-BAD3-9E436319E218",
"event_source_name": "",
"event_id": 14,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-02-12T19:04:10.220142+00:00",
"event_record_id": 254,
"correlation": {},
"execution": {
"process_id": 8368,
"thread_id": 11100
},
"channel": "Microsoft-Windows-SenseIR/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ActionType": "ReadFileAction",
"ActionId": "iaid_252_read_file__7_1770923045"
},
"message": ""
}
Event ID 15: Failure during action ActionType.
#Description
Failure during action ActionType. Action ID: ActionId, Action phase: ActionPhase, error code: HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
ActionType UnicodeString | |
ActionId UnicodeString | |
ActionPhase UnicodeString | |
HRESULT HexInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SenseIR",
"guid": "B6D775EF-1436-4FE6-BAD3-9E436319E218",
"event_source_name": "",
"event_id": 15,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T01:17:16.046722+00:00",
"event_record_id": 602,
"correlation": {},
"execution": {
"process_id": 7604,
"thread_id": 7356
},
"channel": "Microsoft-Windows-SenseIR/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ActionType": "RunPSScriptAction",
"ActionId": "13374ec1-d353-4b0a-bd6d-f19ce96b06c0",
"ActionPhase": "RunScript",
"HRESULT": "0xffffffff80090325"
},
"message": ""
}
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID b6d775ef-1436-4fe6-bad3-9e436319e218
Defined in Program, which carries the event manifest.
Observed on:
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.8821.27906.1000, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.8798.25857.1000, captured 2026-06-02