Hi,
There is no public bug tracker, but our Support team usually take these on board and raise an engineering ticket for anything like this, and ultimately this then flows into the next version of the Alert rules package. We’ve done quite a few updates to that recently, but there is always room for improvement. The alternatively is the ideas portal (top right corner), but that’s more for new product ideas, rather than just “fixing” things to work properly.
As for the labels that are applied, at least in the case of Windows they are based on specific event IDs. Because they are compiled normalisers, there is no way of seeing them in the product.
I’ve dug the ones that are applied to the Security Event Log out of the code, and pasted them below. If there are any mistakes there feel free to let us know.
1108,"Application,Notice,Filter,Policy,Change"
1502,"Policy,Notice"
1704,"Group,Policy"
4608,"System,Up"
4610,"Package,Application,Up"
4611,"Application,Process,Up"
4614,"Package,Application,Up"
4615,"Invalid,System,Warning"
4616,"System,Time,Change"
4624,"User,Login,Successful"
4625,"Fail,Login,User"
4634,"User,Logoff"
4647,"User,Logoff"
4648,"Login,Attempt,Explicit,Credential"
4649,"Attack,Detect"
4653,"Negotiation,Fail"
4656,"Object,Access"
4657,"System,Configuration,Change"
4658,"Object,Close"
4659,"Object,Access,Attempt"
4660,"Object,Delete"
4661,"Object,Access"
4662,"Object,Access"
4663,"Object,Access,Attempt"
4664,"Link,System,Notice"
4670,"Object,Permission,Change"
4672,"Privilege,Assign"
4673,"Privilege,Service,Call"
4674,"Operation,Object,Access"
4675,"Application,Warning"
4688,"Application,Up,Process,Create"
4689,"Process,Exit,Application,Down"
469,"Protection,Application,Up"
4690,"Duplicate,Object,Handle"
4692,"Backup,Application,Up"
4695,"Unprotection,Suspicious,Application"
4697,"Application,Service"
4698,"Application,Service,Schedule,Task,Create"
4699,"Application,Service,Schedule,Task,Delete"
4700,"Application,Up,Schedule,Task,Enable"
4701,"Application,Down,Schedule,Task,Disable"
4702,"Application,Service,Schedule,Task,Update"
4703,"Token,Right"
4704,"Authorization,Policy,Change,Assign,User,Right"
4705,"Authorization,Policy,Change,Remove,User,Right"
4706,"Authorization,Policy,Change,New,Trust,Application,Service,Create"
4707,"Authorization,Policy,Change,Trust,Application,Service,Remove"
4713,"Kerberos,Authentication,Policy,Change"
4714,"Authorization,Encrypt,Data,Recovery,Policy,Change"
4715,"Object,Audit,Policy,Change"
4716,"Authentication,Policy,Trust,Domain,Information,Change"
4717,"Authentication,Policy,Change,Allow,System,Security,Access"
4718,"Authentication,Policy,Change,Remove,System,Security,Access"
4719,"System,Audit,Policy,Change"
4720,"User,Account,Create,Management"
4722,"User,Account,Enable,Management"
4723,"User,Account,Management,Password,Change"
4724,"User,Password,Reset,Account,Management"
4725,"User,Account,Disable,Management"
4726,"User,Account,Management,Delete"
4727,"Global,Security,Group,Management,Create"
4728,"Global,Security,Group,Management,Member,Add,User"
4729,"Global,Security,Group,Management,Member,Remove,User"
4730,"Global,Security,Group,Management,Remove"
4731,"Local,Security,Group,Management,Create"
4732,"Local,Security,Group,Management,Member,Add,User"
4733,"Local,Security,Group,Management,Member,Remove,User"
4734,"Local,Security,Group,Management,Remove"
4735,"Local,Security,Group,Management,Change"
4737,"Global,Security,Group,Management,Change"
4738,"User,Account,Change,Management"
4739,"Other,Account,Management,Domain,Policy,Change"
4740,"User,Account,Lock,Management"
4741,"Computer,Account,Create,Management"
4742,"Computer,Account,Change,Management"
4743,"Computer,Account,Remove,Management"
4744,"Local,Distribution,Group,Management,Create"
4745,"Local,Distribution,Group,Management,Change"
4746,"Local,Distribution,Group,Management,Member,Add,User"
4747,"Local,Distribution,Group,Management,Member,Remove,User"
4748,"Local,Distribution,Group,Management,Remove"
4749,"Global,Distribution,Group,Management,Create"
4750,"Global,Distribution,Group,Management,Change"
4751,"Global,Distribution,Group,Management,Member,Add,User"
4752,"Global,Distribution,Group,Management,Member,Remove,User"
4753,"Global,Distribution,Group,Management,Remove"
4754,"Universal,Security,Group,Management,Create"
4755,"Universal,Security,Group,Management,Change"
4756,"Universal,Security,Group,Management,Member,Add,User"
4757,"Universal,Security,Group,Management,Member,Remove,User"
4758,"Universal,Security,Group,Management,Remove"
4759,"Universal,Distribution,Group,Management,Create"
4760,"Universal,Distribution,Group,Management,Change"
4761,"Universal,Distribution,Group,Management,Member,Add,User"
4762,"Universal,Distribution,Group,Management,Member,Remove,User"
4763,"Universal,Distribution,Group,Management,Remove"
4764,"Security,Group,Management,Type,Change"
4767,"User,Account,Unlock,Management"
4768,"Kerberos,Authentication,Request"
4769,Kerberos
4770,"Kerberos,Service,Renew"
4771,"Kerberos,Authentication,Fail,User"
4774,"Account,Map"
4776,"Credentials,System,Notice"
4778,"Session,Reconnect"
4779,"Session,Disconnect"
4780,"User,Account,Management"
4781,"User,Account,Management,Name,Change"
4783,"Application,Group,Management,Create"
4784,"Application,Group,Management,Change"
4785,"Application,Member,Add,Group,Management"
4786,"Application,Group,Management,Member,Remove"
4787,"Application,Non-member,Add,Group,Management"
4788,"Application,Group,Management,Non-member,Remove"
4789,"Application,Group,Remove,Management"
4790,"Application,Group,Management,LDAP,Query,Create"
4791,"Application,Group,Management,Change"
4792,"Application,Group,Management,LDAP,Query,Remove"
4793,"Other,Account,Management,Password,Policy,API,Call"
4794,"Attempt,Restore,Password,User,Account,Management"
4798,"Local,Group"
4800,"Application,Notice"
4816,"Violation,Detect,Application,Error"
4817,"Policy,Notice,Audit,Change"
4864,"Application,Notice,Authentication,Policy,Change"
4865,"Authentication,Policy,Change,Add,Forest,Information"
4866,"Authentication,Policy,Change,Remove,Forest,Information"
4867,"Authentication,Policy,Change,Forest,Information"
4868,"Deny,Request,Certificate,Application,Service"
4869,"Certificate,Application,Service,Resubmit,Request"
4870,"Certificate,Application,Service,Revoke"
4871,"Certificate,Application,Service,Receive,Request"
4872,"Certificate,Application,Service,Publish,List"
4873,"Certificate,Application,Service,Request,Change"
4875,"Certificate,Application,Service,Request,Shutdown"
4876,"Certificate,Application,Service,Backup,Start"
4877,"Certificate,Application,Service,Backup,Complete"
4878,"Certificate,Application,Service,Restore,Start"
4879,"Certificate,Application,Service,Restart,Complete"
4880,"Certificate,Application,Service,Start"
4881,"Certificate,Application,Service,Stop"
4882,"Application,Configuration,Change"
4883,"Certificate,Application,Service,Key,Retrieve"
4884,"Certificate,Application,Service,Import"
4885,"Application,Configuration,Change"
4886,"Certificate,Application,Service,Receive,Request"
4887,"Certificate,Application,Service,Approve,Request"
4888,"Certificate,Application,Service,Deny,Request"
4890,"Setting,Change,Certificate,Application,Service"
4891,"Application,Configuration,Change"
4892,"Application,Configuration,Change"
4893,"Certificate,Application,Service,Archive,Key"
4894,"Certificate,Application,Service,Archive,Import,Key"
4895,"Certificate,Application,Service,Publish"
4896,"Application,Configuration,Change"
4897,"Application,Configuration,Change"
4898,"Certificate,Application,Service,Load,Template"
4899,"Certificate,Application,Service,Template,Update"
4902,"Audit,Policy,Table,Create,Change"
4904,"Attempt,System,Notice"
4905,"Attempt,System,Notice"
4906,"Audit,Policy,Value,Change"
4907,"Audit,Policy,Setting,Change"
4908,"Policy,Notice,Audit,Change"
4912,"Audit,Policy,Change"
4928,"Application,Service,Establish"
4929,"Application,Service,Remove"
4930,"Application,Configuration,Change"
4931,"Application,Service"
4932,"Application,Service"
4933,"Application,Service"
4935,"Application,Service,Start"
4936,"Application,Service,End"
4937,"Object,Delete"
4944,"Application,Network,Notice,MPSSVC,Policy,Change"
4945,"Application,Network,Notice,MPSSVC,Policy,Change"
4946,"Application,Configuration,Change,MPSSVC,Policy,Change"
4947,"Application,Configuration,Change,MPSSVC,Policy,Change"
4948,"Application,Configuration,Change,MPSSVC,Policy,Change"
4949,"Application,Configuration,Change,MPSSVC,Policy"
4950,"Application,Configuration,Change,MPSSVC,Policy"
4951,"Network,Application,Warning,MPSSVC,Policy,Change"
4952,"Network,Application,Warning,MPSSVC,Policy,Change"
4953,"Network,Application,Warning,MPSSVC,Policy,Change"
4954,"Firewall,Policy,Notice"
4956,"Application,Notice"
4957,"Network,Application,Error,MPSSVC,Policy,Change"
4958,"Network,Application,Error,MPSSVC,Policy,Change"
4985,"Transaction,Change"
5024,"Network,Application,Up"
5025,"Firewall,Service,Stop"
5027,"Network,Application,Error"
5031,"Firewall,Block,Suspicious,Network"
5032,"Network,Application,Error"
5033,"Firewall,Driver,Start"
5034,"Firewall,Driver,Stop"
5035,"Firewall,Driver,Fail"
5037,"Firewall,Drive,Critical,Error"
5038,"Application,Error,File,Image,Hash,Invalid"
5056,"Application,Up"
5058,"File,Application,Service"
5059,"Migration,Application,Service"
5061,"Application,Up"
5136,"Directory,Service,Object,Change"
5137,"Directory,Service,Object,Create"
5138,"Directory,Service,Object,Undelete"
5139,"Directory,Service,Access,Object,Move"
5140,"Network,Object,Access"
5141,"Directory,Service,Object,Delete"
5142,"Network,Object,Access"
5143,"Network,Object,Access"
5144,"Network,Object,Access"
5145,"Network,Object,Access"
515,"Block,Suspicious,Network"
5152,"Block,Suspicious,Network"
5153,"Block,Suspicious,Network"
5154,"Allow,Connection"
5156,"Allow,Connection"
5157,"Deny,Connection"
5158,"Bind,Allow"
5159,"Block,Suspicious,Network"
530,"Login,Fail"
5376,"Credentials,Backup,User,Account,Management"
5377,"Credentials,Backup,Restore,User,Account,Management"
544,"System,Configuration,Change"
5440,"System,Notice,Filter,Policy,Change"
5441,"System,Notice,Filter,Policy,Change"
5442,"System,Notice,Filter,Policy,Change"
5443,"System,Notice,Filter,Policy,Change"
5444,"System,Notice,Filter,Policy,Change"
5446,"System,Configuration,Change"
5447,"System,Configuration,Change"
5448,"System,Configuration,Change,Filter,Policy,Change"
5449,"System,Configuration,Change,Filter,Policy,Change"
5450,"System,Notice,Filter,Policy,Change"
5478,"Service,Start,Successful,Application,Up"
5479,"Service,Shutdown,Successful,Application,Down"
5480,"Service,Fail,Security,Risk,Application,Error"
5483,"Service,Fail,Initialize,Server"
5484,"Server,Down"
5485,"Service,Fail,Process,Filter"
5712,"Application,Up"
592,"Application,Up"
6005,"Event,Log,Start"
6006,"Clean,Shutdown"
6008,"Bad,Shutdown"
6009,"System,Boot"
6144,"Security,Policy,Apply"
6145,"Policy,Warning,Other,Change"
6272,"Network,Connection,Allow"
6273,"Access,Deny,Suspicious,Network"
6274,"Discard,User,Request"
6276,"Quarantine,User"
6277,"Allow,User,Access"
6278,"Connection,Allow"
6279,"Lock,User,Account"
6280,"Unlock,User,Account"
6410,"Package,Application,Up"
6416,"External,Device,USB"
6422,"Package,Application,Up"
