NTDS ISAM

18 events across 1 channel

Event	Title	Channel	Sample
102	Event ID 102	Directory Service	Y
103	Event ID 103	Directory Service	Y
105	Event ID 105	Directory Service	Y
326	Event ID 326	Directory Service	Y
327	Event ID 327	Directory Service	Y
330	Event ID 330	Directory Service	Y
508	NTDS (1008,D,0) NTDSA: A request to write to the file "C:\Windows\NTDS\edb.	Directory Service	Y
609	Event ID 609	Directory Service	Y
611	Event ID 611	Directory Service	Y
612	Event ID 612	Directory Service	Y
614	Event ID 614	Directory Service	Y
643	Event ID 643	Directory Service	Y
700	Event ID 700	Directory Service	Y
701	Event ID 701	Directory Service	Y
702	Event ID 702	Directory Service	Y
703	Event ID 703	Directory Service	Y
704	Event ID 704	Directory Service	Y
2001	NTDS (1000,D,0) NTDSA: Shadow copy instance 1 freeze started.	Directory Service	Y

Event ID 102

Provider: NTDS ISAM
Channel: Directory Service
Level: Informational

Fields #

Name	Description
`Data_0`
`Data_1`
`Data_2`
`Data_3`
`Data_4`
`Data_5`
`Data_6`
`Data_7`
`Data`

Example Event #

{
  "system": {
    "provider": "NTDS ISAM",
    "guid": "",
    "event_source_name": "",
    "event_id": 102,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-06-13T05:38:05.5681978+00:00",
    "event_record_id": 349,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Directory Service",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "NTDS",
    "Data_1": "896,P,98",
    "Data_2": "NTDSA: ",
    "Data_3": "0",
    "Data_4": "10",
    "Data_5": "00",
    "Data_6": "20348",
    "Data_7": "0000"
  },
  "message": "NTDS (896,P,98) NTDSA: The database engine (10.00.20348.0000) is starting a new instance (0)."
}

Event ID 103

Provider: NTDS ISAM
Channel: Directory Service
Level: Informational

Fields #

Name	Description
`Data`

Example Event #

{
  "system": {
    "provider": "NTDS ISAM",
    "guid": "",
    "event_source_name": "",
    "event_id": 103,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2022-04-07T08:12:40.502491+00:00",
    "event_record_id": 38,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Directory Service",
    "computer": "WIN-FPV0DSIC9O6",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "NTDS",
      "648,T,97",
      "NTDSA: ",
      "0",
      "\n[1] 0.000002 +J(0)\n[2] 0.000450 -0.000425 (1) WT +J(0) +M(C:0K, Fs:23, WS:68K # 0K, PF:0K # 0K, P:0K)\n[3] 0.000197 +J(CM:0, PgRf:47, Rd:0/0, Dy:5/55, Lg:2011/41) +M(C:0K, Fs:10, WS:-120K # 0K, PF:-160K # 0K, P:-160K)\n[4] 0.000003 +J(0)\n[5] 0.028921 -0.018370 (9) WT +J(0) +M(C:96K, Fs:323, WS:364K # 0K, PF:360K # 0K, P:360K)\n[6] 0.000022 +J(0)\n[7] 0.000005 +J(0)\n[8] 0.007311 -0.000947 (12) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3624/2) +M(C:0K, Fs:112, WS:-40K # 0K, PF:-44K # 0K, P:-44K)\n[9] 0.000265 -0.000122 (1) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:66/1)\n[10] 0.000022 +J(0)\n[11] 0.001534 -0.000111 (2) WT +J(0)\n[12] 0.000021 +J(0) +M(C:0K, Fs:0, WS:-4K # 0K, PF:-4K # 0K, P:-4K)\n[13] 0.000208 +J(0)\n[14] 0.000988 +J(0) +M(C:0K, Fs:0, WS:-10248K # 0K, PF:-10264K # 0K, P:-10264K)\n[15] 0.000007 +J(0).",
      "0"
    ]
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 105

Provider: NTDS ISAM
Channel: Directory Service
Level: Informational

Fields #

Name	Description
`Data_0`
`Data_1`
`Data_2`
`Data_3`
`Data_4`
`Data_5`
`Data_6`
`Data`

Example Event #

{
  "system": {
    "provider": "NTDS ISAM",
    "guid": "",
    "event_source_name": "",
    "event_id": 105,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-06-13T05:38:05.5681978+00:00",
    "event_record_id": 350,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Directory Service",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "NTDS",
    "Data_1": "896,D,0",
    "Data_2": "NTDSA: ",
    "Data_3": "0",
    "Data_4": "0",
    "Data_5": "\n[1] 0.001158 +J(0) +M(C:0K, Fs:118, WS:444K # 0K, PF:3524K # 364K, P:3524K)\n[2] 0.000748 +J(0) +M(C:16K, Fs:164, WS:648K # 320K, PF:316K # 316K, P:316K)\n[3] 0.000101 +J(0) +M(C:0K, Fs:5, WS:20K # 20K, PF:64K # 64K, P:64K)\n[4] 0.005071 -0.000301 (1) WT +J(0) +M(C:0K, Fs:158, WS:540K # 540K, PF:7724K # 7724K, P:7724K)\n[5] 0.000428 +J(0) +M(C:0K, Fs:3, WS:12K # 12K, PF:8K # 8K, P:8K)\n[6] 0.002799 +J(0) +M(C:0K, Fs:18, WS:68K # 68K, PF:16K # 16K, P:16K)\n[7] 0.031294 -0.024724 (21) WT +J(0) +M(C:0K, Fs:2579, WS:10296K # 10296K, PF:10260K # 10260K, P:10260K)\n[8] -\n[9] -\n[10] -\n[11] -\n[12] -\n[13] 0.025247 -0.018453 (22) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:616/1) +M(C:0K, Fs:8, WS:-10216K # 24K, PF:-10256K # 12K, P:-10256K)\n[14] 0.000025 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:4K # 0K, P:4K)\n[15] 0.001169 +J(0) +M(C:0K, Fs:821, WS:3276K # 0K, PF:68K # 0K, P:68K)\n[16] 0.000536 -0.000255 (1) WT +J(0) +M(C:0K, Fs:3, WS:4K # 0K, PF:0K # 0K, P:0K).",
    "Data_6": ""
  },
  "message": "NTDS (896,D,0) NTDSA: The database engine started a new instance (0). (Time=0 seconds) \r\n \r\nAdditional Data:\r\n  \r\n \r\nInternal Timing Sequence: \n[1] 0.001158 +J(0) +M(C:0K, Fs:118, WS:444K # 0K, PF:3524K # 364K, P:3524K)\n[2] 0.000748 +J(0) +M(C:16K, Fs:164, WS:648K # 320K, PF:316K # 316K, P:316K)\n[3] 0.000101 +J(0) +M(C:0K, Fs:5, WS:20K # 20K, PF:64K # 64K, P:64K)\n[4] 0.005071 -0.000301 (1) WT +J(0) +M(C:0K, Fs:158, WS:540K # 540K, PF:7724K # 7724K, P:7724K)\n[5] 0.000428 +J(0) +M(C:0K, Fs:3, WS:12K # 12K, PF:8K # 8K, P:8K)\n[6] 0.002799 +J(0) +M(C:0K, Fs:18, WS:68K # 68K, PF:16K # 16K, P:16K)\n[7] 0.031294 -0.024724 (21) WT +J(0) +M(C:0K, Fs:2579, WS:10296K # 10296K, PF:10260K # 10260K, P:10260K)\n[8] -\n[9] -\n[10] -\n[11] -\n[12] -\n[13] 0.025247 -0.018453 (22) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:616/1) +M(C:0K, Fs:8, WS:-10216K # 24K, PF:-10256K # 12K, P:-10256K)\n[14] 0.000025 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:4K # 0K, P:4K)\n[15] 0.001169 +J(0) +M(C:0K, Fs:821, WS:3276K # 0K, PF:68K # 0K, P:68K)\n[16] 0.000536 -0.000255 (1) WT +J(0) +M(C:0K, Fs:3, WS:4K # 0K, PF:0K # 0K, P:0K)."
}

Event ID 326

Provider: NTDS ISAM
Channel: Directory Service
Level: Informational

Fields #

Name	Description
`Data_0`
`Data_1`
`Data_2`
`Data_3`
`Data_4`
`Data_5`
`Data_6`
`Data_7`
`Data_8`
`Data`

Example Event #

{
  "system": {
    "provider": "NTDS ISAM",
    "guid": "",
    "event_source_name": "",
    "event_id": 326,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-06-13T05:38:05.5681978+00:00",
    "event_record_id": 352,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Directory Service",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "NTDS",
    "Data_1": "896,D,50",
    "Data_2": "NTDSA: ",
    "Data_3": "1",
    "Data_4": "C:\\Windows\\NTDS\\ntds.dit",
    "Data_5": "0",
    "Data_6": "\n[1] 0.000008 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K)\n[2] 0.000552 -0.000348 (1) WT +J(0) +M(C:0K, Fs:19, WS:12K # 0K, PF:8K # 0K, P:8K)\n[3] 0.008614 -0.002602 (6) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3480/2) +M(C:0K, Fs:16, WS:56K # 0K, PF:108K # 0K, P:108K)\n[4] 0.000182 +J(0)\n[5] -\n[6] -\n[7] -\n[8] 0.001044 -0.000404 (2) CM -0.000320 (2) WT +J(CM:2, PgRf:2, Rd:4/2, Dy:0/0, Lg:0/0) +M(C:16K, Fs:47, WS:180K # 0K, PF:228K # 0K, P:228K)\n[9] 0.002021 -0.001536 (7) CM -0.001303 (7) WT +J(CM:7, PgRf:24, Rd:0/7, Dy:0/0, Lg:0/0) +M(C:-8K, Fs:29, WS:100K # 0K, PF:192K # 0K, P:192K)\n[10] 0.000790 -0.000618 (3) CM -0.000525 (3) WT +J(CM:3, PgRf:40, Rd:0/3, Dy:0/0, Lg:0/0) +M(C:-4K, Fs:5, WS:12K # 0K, PF:60K # 0K, P:60K)\n[11] 0.000033 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:4, WS:16K # 0K, PF:0K # 0K, P:0K)\n[12] 0.000044 +J(CM:0, PgRf:48, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:2, WS:8K # 0K, PF:0K # 0K, P:0K)\n[13] 0.0 +J(0)\n[14] 0.0 +J(0)\n[15] 0.000004 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0).",
    "Data_7": "0 0",
    "Data_8": "lgposAttach = 00000002:07E5:0268,\ndbv = 1568.20.0 (8920)"
  },
  "message": "NTDS (896,D,50) NTDSA: The database engine attached a database (1, C:\\Windows\\NTDS\\ntds.dit). (Time=0 seconds) \r\n \r\nSaved Cache: 0 0 \r\nAdditional Data: lgposAttach = 00000002:07E5:0268,\ndbv = 1568.20.0 (8920) \r\n \r\nInternal Timing Sequence: \n[1] 0.000008 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K)\n[2] 0.000552 -0.000348 (1) WT +J(0) +M(C:0K, Fs:19, WS:12K # 0K, PF:8K # 0K, P:8K)\n[3] 0.008614 -0.002602 (6) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3480/2) +M(C:0K, Fs:16, WS:56K # 0K, PF:108K # 0K, P:108K)\n[4] 0.000182 +J(0)\n[5] -\n[6] -\n[7] -\n[8] 0.001044 -0.000404 (2) CM -0.000320 (2) WT +J(CM:2, PgRf:2, Rd:4/2, Dy:0/0, Lg:0/0) +M(C:16K, Fs:47, WS:180K # 0K, PF:228K # 0K, P:228K)\n[9] 0.002021 -0.001536 (7) CM -0.001303 (7) WT +J(CM:7, PgRf:24, Rd:0/7, Dy:0/0, Lg:0/0) +M(C:-8K, Fs:29, WS:100K # 0K, PF:192K # 0K, P:192K)\n[10] 0.000790 -0.000618 (3) CM -0.000525 (3) WT +J(CM:3, PgRf:40, Rd:0/3, Dy:0/0, Lg:0/0) +M(C:-4K, Fs:5, WS:12K # 0K, PF:60K # 0K, P:60K)\n[11] 0.000033 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:4, WS:16K # 0K, PF:0K # 0K, P:0K)\n[12] 0.000044 +J(CM:0, PgRf:48, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:2, WS:8K # 0K, PF:0K # 0K, P:0K)\n[13] 0.0 +J(0)\n[14] 0.0 +J(0)\n[15] 0.000004 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0)."
}

Event ID 327

Provider: NTDS ISAM
Channel: Directory Service
Level: Informational

Fields #

Name	Description
`Data`

Example Event #

{
  "system": {
    "provider": "NTDS ISAM",
    "guid": "",
    "event_source_name": "",
    "event_id": 327,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2022-04-07T08:12:33.396715+00:00",
    "event_record_id": 21,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Directory Service",
    "computer": "WIN-FPV0DSIC9O6",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "NTDS",
      "648,D,51",
      "NTDSA: ",
      "1",
      "C:\\Windows\\NTDS\\ntds.dit",
      "0",
      "\n[1] 0.000002 +J(0)\n[2] 0.0 +J(0)\n[3] 0.004132 -0.004125 (1) WT +J(0) +M(C:44K, Fs:53, WS:100K # 0K, PF:48K # 0K, P:48K)\n[4] 0.000001 +J(0)\n[5] 0.0 +J(0)\n[6] 0.001773 -0.000372 (6) WT +J(0) +M(C:-16K, Fs:6, WS:-8K # 0K, PF:-16K # 0K, P:-16K)\n[7] 0.000029 +J(0)\n[8] 0.000381 -0.000070 (2) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3902/2)\n[9] 0.001097 -0.000213 (6) WT +J(0) +M(C:0K, Fs:4, WS:-20K # 0K, PF:-20K # 0K, P:-20K)\n[10] 0.000127 +J(0)\n[11] 0.000069 +J(0) +M(C:0K, Fs:0, WS:-8K # 0K, PF:-8K # 0K, P:-8K).",
      "0 0",
      "lgposDetach = 00000001:00BA:00C2"
    ]
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 330

Provider: NTDS ISAM
Channel: Directory Service
Level: Informational

Fields #

Name	Description
`Data_0`
`Data_1`
`Data_2`
`Data_3`
`Data_4`
`Data_5`
`Data_6`
`Data`

Example Event #

{
  "system": {
    "provider": "NTDS ISAM",
    "guid": "",
    "event_source_name": "",
    "event_id": 330,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-06-13T05:38:05.5681978+00:00",
    "event_record_id": 353,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Directory Service",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "NTDS",
    "Data_1": "896,D,2",
    "Data_2": "NTDSA: ",
    "Data_3": "C:\\Windows\\NTDS\\temp.edb",
    "Data_4": "0x22D8 (8920)",
    "Data_5": "8920 (0x22d8)",
    "Data_6": "9360 (0x2490)"
  },
  "message": "NTDS (896,D,2) NTDSA: The database [C:\\Windows\\NTDS\\temp.edb] format version is being held back to 8920 (0x22d8) due to application parameter setting of 0x22D8 (8920). Current default engine version: 9360 (0x2490)."
}

Event ID 508: NTDS (1008,D,0) NTDSA: A request to write to the file "C:\Windows\NTDS\edb.

Provider: NTDS ISAM
Channel: Directory Service
Level: 3

Fields #

Name	Description
`Data_0`
`Data_1`
`Data_2`
`Data_3`
`Data_4`
`Data_5`
`Data_6`

Example Event #

{
  "system": {
    "provider": "NTDS ISAM",
    "guid": "",
    "event_source_name": "",
    "event_id": 508,
    "version": 0,
    "level": 3,
    "task": 7,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-04-13T05:21:25.6807569+00:00",
    "event_record_id": 5434,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Directory Service",
    "computer": "JD-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "NTDS",
    "Data_1": "1008,D,0",
    "Data_2": "NTDSA: ",
    "Data_3": "C:\\Windows\\NTDS\\edb.log",
    "Data_4": "10469376 (0x00000000009fc000)",
    "Data_5": "4096 (0x00001000)",
    "Data_6": "25"
  },
  "message": "NTDS (1008,D,0) NTDSA: A request to write to the file \"C:\\Windows\\NTDS\\edb.log\" at offset 10469376 (0x00000000009fc000) for 4096 (0x00001000) bytes succeeded, but took an abnormally long time (25 seconds) to be serviced by the OS. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem."
}

Event ID 609

Provider: NTDS ISAM
Channel: Directory Service
Level: Informational

Fields #

Name	Description
`Data`

Example Event #

{
  "system": {
    "provider": "NTDS ISAM",
    "guid": "",
    "event_source_name": "",
    "event_id": 609,
    "version": 0,
    "level": 4,
    "task": 5,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2022-04-07T08:12:33.307771+00:00",
    "event_record_id": 14,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Directory Service",
    "computer": "WIN-FPV0DSIC9O6",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "NTDS",
      "648,D,50",
      "NTDSA: ",
      "C:\\Windows\\NTDS\\ntds.dit",
      "10",
      "0",
      "20348",
      "0",
      "10",
      "0",
      "20348",
      "0"
    ]
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 611

Provider: NTDS ISAM
Channel: Directory Service
Level: Informational

Fields #

Name	Description
`Data`

Example Event #

{
  "system": {
    "provider": "NTDS ISAM",
    "guid": "",
    "event_source_name": "",
    "event_id": 611,
    "version": 0,
    "level": 4,
    "task": 5,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2022-04-07T08:12:33.375741+00:00",
    "event_record_id": 18,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Directory Service",
    "computer": "WIN-FPV0DSIC9O6",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "NTDS",
      "648,D,50",
      "NTDSA: ",
      "C:\\Windows\\NTDS\\ntds.dit",
      "PDNT_index",
      "datatable"
    ]
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 612

Provider: NTDS ISAM
Channel: Directory Service
Level: Informational

Fields #

Name	Description
`Data`

Example Event #

{
  "system": {
    "provider": "NTDS ISAM",
    "guid": "",
    "event_source_name": "",
    "event_id": 612,
    "version": 0,
    "level": 4,
    "task": 5,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2022-04-07T08:12:33.381699+00:00",
    "event_record_id": 19,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Directory Service",
    "computer": "WIN-FPV0DSIC9O6",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "NTDS",
      "648,D,50",
      "NTDSA: ",
      "C:\\Windows\\NTDS\\ntds.dit"
    ]
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 614

Provider: NTDS ISAM
Channel: Directory Service
Level: Warning

Fields #

Name	Description
`Data`

Example Event #

{
  "system": {
    "provider": "NTDS ISAM",
    "guid": "",
    "event_source_name": "",
    "event_id": 614,
    "version": 0,
    "level": 3,
    "task": 5,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2022-04-07T08:12:33.225114+00:00",
    "event_record_id": 6,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Directory Service",
    "computer": "WIN-FPV0DSIC9O6",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "NTDS",
      "648,D,50",
      "NTDSA: ",
      "C:\\Windows\\NTDS\\ntds.dit",
      "INDEX_00000003",
      "datatable"
    ]
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 643

Provider: NTDS ISAM
Channel: Directory Service
Level: Warning

Fields #

Name	Description
`Data`

Example Event #

{
  "system": {
    "provider": "NTDS ISAM",
    "guid": "",
    "event_source_name": "",
    "event_id": 643,
    "version": 0,
    "level": 3,
    "task": 5,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2022-04-07T08:12:33.306746+00:00",
    "event_record_id": 13,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Directory Service",
    "computer": "WIN-FPV0DSIC9O6",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "NTDS",
      "648,D,50",
      "NTDSA: ",
      "C:\\Windows\\NTDS\\ntds.dit",
      "en-US",
      "00000001-57ee-1e5c-00b4-d0000bb1e11e",
      "0006020F0006020F",
      "00000001-57ee-1e5c-00b4-d0000bb1e11e",
      "0006040300060403"
    ]
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 700

Provider: NTDS ISAM
Channel: Directory Service
Level: Informational

Fields #

Name	Description
`Data_0`
`Data_1`
`Data_2`
`Data_3`
`Data`

Example Event #

{
  "system": {
    "provider": "NTDS ISAM",
    "guid": "",
    "event_source_name": "",
    "event_id": 700,
    "version": 0,
    "level": 4,
    "task": 10,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-06-13T05:38:05.5681978+00:00",
    "event_record_id": 354,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Directory Service",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "NTDS",
    "Data_1": "896,D,0",
    "Data_2": "NTDSA: ",
    "Data_3": "C:\\Windows\\NTDS\\ntds.dit"
  },
  "message": "NTDS (896,D,0) NTDSA: Online defragmentation is beginning a full pass on database 'C:\\Windows\\NTDS\\ntds.dit'."
}

Event ID 701

Provider: NTDS ISAM
Channel: Directory Service
Level: Informational

Fields #

Name	Description
`Data_0`
`Data_1`
`Data_2`
`Data_3`
`Data_4`
`Data_5`
`Data_6`
`Data_7`
`Data_8`
`Data_9`
`Data`

Example Event #

{
  "system": {
    "provider": "NTDS ISAM",
    "guid": "",
    "event_source_name": "",
    "event_id": 701,
    "version": 0,
    "level": 4,
    "task": 10,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-06-13T05:38:05.7402088+00:00",
    "event_record_id": 355,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Directory Service",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "NTDS",
    "Data_1": "896,D,0",
    "Data_2": "NTDSA: ",
    "Data_3": "C:\\Windows\\NTDS\\ntds.dit",
    "Data_4": "0",
    "Data_5": "6/13/2026",
    "Data_6": "0",
    "Data_7": "1",
    "Data_8": "1",
    "Data_9": "3"
  },
  "message": "NTDS (896,D,0) NTDSA: Online defragmentation has completed a full pass on database 'C:\\Windows\\NTDS\\ntds.dit', freeing 0 pages. This pass started on 6/13/2026 and ran for a total of 0 seconds, requiring 1 invocations over 1 days. Since the database was created it has been fully defragmented 3 times."
}

Event ID 702

Provider: NTDS ISAM
Channel: Directory Service
Level: Informational

Fields #

Name	Description
`Data`

Example Event #

{
  "system": {
    "provider": "NTDS ISAM",
    "guid": "",
    "event_source_name": "",
    "event_id": 702,
    "version": 0,
    "level": 4,
    "task": 10,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2022-04-07T08:29:41.505098+00:00",
    "event_record_id": 65,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Directory Service",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "NTDS",
      "648,D,0",
      "NTDSA: ",
      "C:\\Windows\\NTDS\\ntds.dit",
      "4/7/2022",
      "1"
    ]
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 703

Provider: NTDS ISAM
Channel: Directory Service
Level: Informational

Fields #

Name	Description
`Data`

Example Event #

{
  "system": {
    "provider": "NTDS ISAM",
    "guid": "",
    "event_source_name": "",
    "event_id": 703,
    "version": 0,
    "level": 4,
    "task": 10,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2022-04-07T08:29:41.520778+00:00",
    "event_record_id": 66,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Directory Service",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "NTDS",
      "648,D,0",
      "NTDSA: ",
      "C:\\Windows\\NTDS\\ntds.dit",
      "10",
      "4/7/2022",
      "0",
      "2",
      "1",
      "1"
    ]
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 704

Provider: NTDS ISAM
Channel: Directory Service
Level: Informational

Fields #

Name	Description
`Data`

Example Event #

{
  "system": {
    "provider": "NTDS ISAM",
    "guid": "",
    "event_source_name": "",
    "event_id": 704,
    "version": 0,
    "level": 4,
    "task": 10,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2022-04-07T08:30:15.270773+00:00",
    "event_record_id": 70,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Directory Service",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "NTDS",
      "648,D,0",
      "NTDSA: ",
      "C:\\Windows\\NTDS\\ntds.dit"
    ]
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2001: NTDS (1000,D,0) NTDSA: Shadow copy instance 1 freeze started.

Provider: NTDS ISAM
Channel: Directory Service
Level: 4

Fields #

Name	Description
`Data_0`
`Data_1`
`Data_2`
`Data_3`

Example Event #

{
  "system": {
    "provider": "NTDS ISAM",
    "guid": "",
    "event_source_name": "",
    "event_id": 2001,
    "version": 0,
    "level": 4,
    "task": 16,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-30T02:25:25.5872725+00:00",
    "event_record_id": 5631,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Directory Service",
    "computer": "JD-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "NTDS",
    "Data_1": "1000,D,0",
    "Data_2": "NTDSA: ",
    "Data_3": "1"
  },
  "message": "NTDS (1000,D,0) NTDSA: Shadow copy instance 1 freeze started."
}

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)