4618 A monitored security event pattern has occurred
A special event generated only when invoked explicitly from outside. The OS does not record it automatically; it is a mechanism for operators to deliberately raise an administrator alert saying “this pattern happened.”
Overview
The subcategory is Audit System Integrity. It can be generated only manually, with this command:
%windir%\system32\rundll32 %windir%\system32\authz.dll,AuthziGenerateAdminAlertAudit OrgEventId ComputerName UserSid UserName UserDomain UserLogonId EventCount DurationGenerating it requires SeAuditPrivilege (the right to generate security audits). OrgEventID, ComputerName, and EventCount are required; the rest are optional. Unspecified fields appear as -.
How it is triggered
- When a monitoring product or script explicitly issues the command above to record the occurrence of a self-defined “pattern of interest.”
- It never fires automatically. The meaning of its contents is left to whoever issues it.
Security review points
- This event means “someone issued it deliberately.” Separate whether a legitimate monitoring platform produced it or whether the issuance was unexpected.
- Because issuing it requires the audit-generation privilege, also review how that privilege is managed.
Notes for log review
- Interpretation depends on the operational design. If your organization uses this mechanism, read it against your own definition (which patterns trigger issuance).
- If 4618 appears when you do not use it, investigate starting from who issued it and to what end.
Key fields
| Field | Meaning |
|---|---|
OrgEventID | An identifier assigned by the issuer |
ComputerName / EventCount / Duration | Target host, count, and duration (specified by the issuer) |