5061 Cryptographic operation
Written when a cryptographic operation (encryption, decryption, signing, etc. using a key) is performed. It captures key usage and, together with key-related events, lets you track use of credentials and key material.
Overview
The subcategory is Audit System Integrity. It is generated when a cryptographic operation (open, encrypt, decrypt, sign, verify, etc.) using a CNG-managed key is performed. There are success (S) and failure (F) variants, including the target key, operation type, and process.
How it is triggered
- When an application or service performs a cryptographic operation using a key.
- It occurs in a wide range of processing such as certificate use, data protection, and TLS.
Security review points
- If a specific key (a certificate’s private key, a code-signing key, etc.) is used by an unexpected process or account, suspect key misuse. Together with key file operation 5058, track the location and use of keys.
- Because it appears in volume, monitor narrowed to keys and processes of interest.
Notes for log review
- It occurs in volume during legitimate cryptographic processing. Full volume always-on is impractical; narrow to use of high-value keys or non-standard processes.
- Together with failures 5057/5060, watch for anomalies in cryptographic use.
Key fields
| Field | Meaning |
|---|---|
Key Name | The key used |
Operation | The type of cryptographic operation |
Process Name / Subject | The origin |