[Message Type] IN ("Ossec Windows User Account Created", "Windows Network Share Object Added", "Windows User Account Created", "Windows Special Privileges Assigned to Logon", "Windows Special Groups Have Been Assigned To A New Logon", "Windows System Security Access Granted", "Windows User Account Changed", "Ossec Windows User Account Changed", "Windows System Security Access Removed", "Ossec Windows User Account Deleted", "Windows User Account Deleted", "Ossec Windows Group Added", "Ossec Windows Group Created (Security Disabled)", "Windows Basic Application Group Created", "Windows Group Added", "Windows Group Created (Security Disabled)", "Windows LDAP Query Group Created", "Office365 Group Added", "Office365 Group Updated", "Office365 User Added to Group", "Ossec Windows Group Modified", "Windows Basic Application Group Changed", "Windows Group Member Added (Security Disabled)", "Windows Group Member Added (Security Enabled)", "Windows Group Member Removed (Security Disabled)", "Windows Group Member Removed (Security Enabled)", "Windows Group Modified", "Windows Group Modified (Security Disabled)", "Windows LDAP Query Group Changed", "Windows Group Removed", "Windows Group Removed (Security Disabled)", "Office365 Group Removed")

[Message Type] IN ("Unix SU Successful Switch User", "Unix SUDO Successful Command", "Unix SUDO Authentication Failed", "Unix Mailbox User Created", "Unix User Account Created", "Unix Group Member Removed", "Ossec Unix User Account Deleted", "Unix FTP File Deleted", "Unix Mailbox User Deleted", "Unix User Account Deleted", "Ossec Unix User Account Created", "Ossec Unix User Group Added", "Unix Group Member Added", "Unix User Group Added", "Unix Group Modified", "Unix Group Removed")

[Message Type] IN ("AWS IAM Create User", "AWS IAM Delete User", "AWS EC2 Create Placement Group", "AWS EC2 Create Security Group", "AWS IAM Create Group", "AWS RDS Create Option Group", "AWS IAM Add User To Group", "AWS IAM Attach Group Policy", "AWS IAM Delete Group Policy", "AWS IAM Detach Group Policy", "AWS IAM Put Group Policy", "AWS IAM Remove User From Group", "AWS IAM Update Group", "AWS EC2 Delete Placement Group", "AWS EC2 Delete Security Group", "AWS IAM Delete Group")

[Message Type] IN ("Ossec Windows Login Failed", "Windows Login Failed"," IIS 5 FTP Login Failed", " IIS 7 FTP Login Failed", "IIS FTP Login Failed", " Windows SSH Login Failed", " WS_FTP Login Failed","Office365 Sign In Failure", "Windows Web Authentication Failed", "Windows VPN Login Failed", "Windows Web Authentication Failed", "Windows VPN Login Failed", "Windows Terminal Service Login Failed", "Windows SharePoint Login Failed", "Windows SSH Login Failed", "Windows Operation Manager Authentication Failed", "Windows OCS Login Failed", "Windows Login Failed", "Windows DCOM User Login Failed") 

[Message Type] IN ( "Active Directory Abnormal File Operation", "Active Directory Attribute Column Added", "Active Directory Attribute Column Create", "Active Directory Attribute Column Deleted", "Active Directory Audit Policy SACL Changed", "Active Directory Client Issued Search", "Active Directory DNS Key Master Role Changed", "Active Directory DNS Record Not Deleted", "Active Directory DNS Unavailable", "Active Directory DNS Update Request", "Active Directory DNS Update Successful", "Active Directory DNS Zone Created", "Active Directory DNS Zone Delegation Added", "Active Directory DNS Zone Loaded", "Active Directory DNS Zone Reloaded", "Active Directory DNS Zone Transfer In Progress", "Active Directory DNS Zone Transferred", "Active Directory DNS Zone Updated", "Active Directory DRA Attribute Added (Sync Will be Performed)", "Active Directory DRA Dispatcher Timeout", "Active Directory DRA Invalid Certificate", "Active Directory DRA Invalid Certificate (Not Trusted)", "Active Directory DRA Invalid Certificate (Unknown Domain Controller)", "Active Directory DRA Object Config Changed (Some Attributes Reversed)", "Active Directory DRA Operation Performed", "Active Directory DSA Cannot Find MasterDSA Attribute", "Active Directory DSA Not Advertised by Domain Controller", "Active Directory Database Backup Completed", "Active Directory Database Backup Started", "Active Directory Database Backup Warning", "Active Directory Database Index Cleanup Completed", "Active Directory Database Recovery Completed", "Active Directory Database Recovery Initiated", "Active Directory Database Space Alert", "Active Directory Database Updated Successfully", "Active Directory Disk Drive Name Change", "Active Directory Domain Controller Information", "Active Directory Domain Removed from Enterprise", "Active Directory Domain Service Shutdown", "Active Directory Domain Trust Created", "Active Directory Domain Trust Deleted", "Active Directory Domain Trust Modified", "Active Directory Duplicate SPN Detected", "Active Directory Exited with Active Threads", "Active Directory FSMO Moved", "Active Directory Federation Services Account Locked Out", "Active Directory Federation Services Extranet Lockout", "Active Directory Folder Replication Stopped", "Active Directory Function Level Raised", "Active Directory Global Catalog Connected", "Active Directory Global Catalog Demotion", "Active Directory Global Catalog Information", "Active Directory Global Catalog Promotion", "Active Directory Integration Disabled", "Active Directory Internal Event", "Active Directory Invalid Mandatory Attribute", "Active Directory Invalid Optional Attribute", "Active Directory Invalid Request For DNS Zone Transfer", "Active Directory Invalid Site", "Active Directory LDAP Connection Closed", "Active Directory LDAP Disconnect from Client (Server Shutting Down)", "Active Directory LDAP Session Opened", "Active Directory Object Created", "Active Directory Object Security Attributes Modified", "Active Directory PDC Notification", "Active Directory Partition No Longer Replicated", "Active Directory Partition Removed", "Active Directory Privileged Operation Performed", "Active Directory Recycle Bin Disabled", "Active Directory Recycle Bin Enabled", "Active Directory Replication Connection Created", "Active Directory Replication Connection Deleted", "Active Directory Replication Established", "Active Directory Replication Inbound Disabled", "Active Directory Replication Inbound Re-Enabled", "Active Directory Replication Link Added", "Active Directory Replication Modified", "Active Directory Replication Outbound Disabled", "Active Directory Replication Outbound Re-Enabled", "Active Directory Replication Service Added", "Active Directory Replication Service Enabled", "Active Directory Replication Started", "Active Directory Replication Stopped", "Active Directory Replication Synchronization Ended", "Active Directory Replication Synchronization Started", "Active Directory SIDs Filtered", "Active Directory Schema Index Created", "Active Directory Schema Index Required", "Active Directory Schema Object Access", "Active Directory Schema Object Modified", "Active Directory Server No Longer Domain Controller", "Active Directory Server Not Available", "Active Directory Service Object Created", "Active Directory Service Object Deleted", "Active Directory Service Object Modified", "Active Directory Service Object Moved", "Active Directory Started", "Active Directory Unsigned Client LDAP Connection", "Adaxes Active Directory Management Syslog", "IIS FTP Resource Deleted", "IIS File Not Modified", "IIS Object Moved", "IIS Object Moved Permanently", "IIS W3C Extended Log Client Request Succeeded", "IIS W3C Extended Log File Not Modified", "Ossec Windows Cannot Access File For GPO", "Ossec Windows File Corrupted", "Ossec Windows Successful Object Access", "Windows Attempt to install service", "Windows Cannot Access File For GPO", "Windows File Corrupted", "Windows File Modified", "Windows File Virtualized", "Windows GPG Processor File Decrypted", "Windows Hard Link Creation", "Windows Indirect Object Access Obtained", "Windows Indirect Object Access Requested", "Windows Network Share Object Added", "Windows Network Share Object Deleted", "Windows Network Share Object Modified", "Windows Object Deleted", "Windows Object Handle Closed", "Windows Object Permissions Changed", "Windows Operation Performed On Object", "Windows Privileged Object Operation", "Windows Shared Folder Access", "Windows Successful Object Access", "Windows Transaction State Changed", "Windows Virtual File Created", "Windows Virtual File Delete Requested", "Ossec Windows Object Access Failed", "Windows GPG Processor Failed To Decrypt File", "Windows Object Access Failed" )

[Message Type] IN ("AWS EC2 Authorize Security Group Egress", "AWS EC2 Authorize Security Group Ingress", "AWS EC2 Revoke Security Group Egress", "AWS EC2 Revoke Security Group Ingress", "AWS RDS Authorize DB Security Group Ingress", "AWS RDS Reboot DB Instance", "AWS RDS Revoke DB Security Group Ingress", "AWS EC2 Create Security Group", "AWS RDS Create Option Group")

[Message Type] IN ("Checkpoint Anti-Spam Rule Added", "Checkpoint Anti-Spam Rule Deleted", "Checkpoint Anti-Spam Rule Modified", "Checkpoint NAT Rule Added", "Checkpoint NAT Rule Deleted", "Checkpoint Policy Installed", "Checkpoint Policy Modified", "Checkpoint Security Policy Added", "Checkpoint Security Policy Deleted", "Checkpoint Security Policy Modified", "Cisco Group Policy Deleted", "Cisco IKE Default Policy Accepted", "Cisco SA Deleted From Proxy", "Fortinet Policy Added", "Fortinet Policy Changed", "Fortinet Policy Deleted", "Netscreen AV Pattern File Updated", "Netscreen AV Profile Modified", "Netscreen Default Policy Changed", "Netscreen Management Restriction Modified", "Netscreen Policy Added", "Netscreen Policy Application Modified", "Netscreen Policy Attack Modified", "Netscreen Policy Attack Severity Modified", "Netscreen Policy Changed by Admin", "Netscreen Policy Deleted", "Netscreen Policy Modified", "Netscreen Security Alarm Setting Changed", "Netscreen Service Added To Policy", "Netscreen Web-Filter Policy Modified", "Samhain Client Policy Added", "Samhain Server Policy Added", "Samhain Server Policy Missing", "SonicOS Firewall Rule Modified", "Watchguard Policy Added", "Watchguard Policy Deleted", "Watchguard Policy Modified", "Watchguard Rule Added for Policy", "Web Security Manager GUI Access Policy Configured", "Windows IPsec Policy Loaded", "Windows IPsec Rule Applied", "AS400 Authorities for Object Changed", "Arista Enter Configuration Mode", "Arista Startup Config Saved", "BT9 Computer Management - Agent uninstalled", "BT9 Discovery - Banned file written to computer", "BT9 Discovery - Device attached", "BT9 Discovery - File group Created", "BT9 Discovery - Malicious file detected", "BT9 Discovery - New File On Network", "BT9 Discovery - New Unapproved File to Computer", "BT9 General Management - Alert triggered", "BT9 Policy Enforcement - File Approved", "Barracuda Authentication Activity", "Barracuda Contact Email Address Changed", "Barracuda Content Filter Configured", "Barracuda Firewall Activity", "Barracuda LDAP Configured", "Barracuda Mail Configuration", "Barracuda Mail Scan Setting Configured", "Barracuda Network Activity", "Barracuda Primary DNS Configured", "Barracuda RBL Configured", "Barracuda Relay Host Configured", "Barracuda SSL Certificate Configured", "Barracuda Scan Level Configured", "Barracuda Services Activity", "Barracuda VPN Activity", "Barracuda Virus Scan Configured", "CIFS VFS Message", "Carbon Black Protection Agent Deleted Events", "Carbon Black Protection Agent Health Check", "Carbon Black Protection Agent Restart", "Carbon Black Protection Agent Shutdown", "Carbon Black Protection Cache Check Complete", "Carbon Black Protection Certificate Checked", "Carbon Black Protection Computer Discovered New File", "Carbon Black Protection Console User Login", "Carbon Black Protection Database Error", "Carbon Black Protection Device Attached", "Carbon Black Protection File Approved Due to Custom Rule", "Carbon Black Protection File Discovered (Browser Download)", "Carbon Black Protection File Group Created", "Carbon Black Protection First Execution On Network", "Carbon Black Protection Installation Group Created for File", "Carbon Black Protection New Device Found", "Carbon Black Protection New File Discovered On Startup", "Carbon Black Protection Potential Risk Discovered", "Carbon Black Protection Server Discovered New File", "Carbon Black Protection Service Deleted", "Carbon Black Protection Session Changed", "Checkpoint Module Enabled", "Checkpoint Rule Priority Changed", "Checkpoint Security Level Changed", "Checkpoint User Added To Block List", "Checkpoint User Added To Safe List", "Checkpoint User Deleted From Block List", "Checkpoint User Deleted From Safe List", "Cisco ACE Configuration Replication Status", "Cisco ASA Configuration Operation Ended", "Cisco ASA Configuration Operation Started", "Cisco ASA Virtual Sensor Added", "Cisco ASA Virtual Sensor Deleted", "Cisco FWSM Configuration Operation Started", "Cisco IOS AppleTalk Zone Created", "Cisco IOS CDP Deleted Table Entry", "Cisco IOS DHCP Disabled", "Cisco IOS Device Configured", "Cisco IOS Enter Configuration Mode", "Cisco IOS Port Added To VLAN", "Cisco IOS Port Security Configured", "Cisco IOS Port Security Deactivated", "Cisco IOS Startup Config Saved", "Cisco IOS VLAN Added", "Cisco IOS VLAN Configuration Modified", "Cisco IOS VLAN Deleted", "Cisco IOS VLAN Mode Changed", "Cisco Meraki MX60 Firewall", "Cisco Nexus Port Added", "Cisco Nexus Port Deleted", "Cisco Nexus User Delete Failed", "Cisco PIX Configuration Operation Ended", "Cisco PIX Configuration Operation Started", "Cisco User Privilege Level Changed", "Cisco Users Group Policy Set", "Fortigate Critical System Event", "Fortigate DLP Archive Full", "Fortigate Disc Logfile Deleted", "Fortigate Disk Log Directory Deleted", "Fortigate IPsec Connection Status Changed", "Fortigate IPsec Phase2 Status Changed", "Fortigate IPsec SA Installed", "Fortigate Interface Status Changed", "Fortigate Progress IPsec Phase 1", "Fortigate SSL VPN exit error", "Fortigate Super Admin Left VDOM", "Fortigate System Log", "Fortigate Traffic Forwarded", "Fortinet Configuration Modified", "Fortinet Firmware Upgraded", "Fortinet Recurring Schedule Added", "Fortinet Recurring Schedule Removed", "Fortinet Virtual Domain Disabled", "Fortinet Virtual Domain Enabled", "HP ProCurve Date And Time Changed", "HP ProCurve IGMP Feature Disabled", "HP ProCurve IGMP Feature Enabled", "HP ProCurve LLDP Disabled", "HP ProCurve SSL Disabled", "HP ProCurve SSL Enabled", "HP ProCurve STP Disabled", "HP ProCurve STP Enabled", "HP ProCurve TFTP Enabled", "HP ProCurve VLAN Disabled", "HP ProCurve VLAN Enabled", "Huawei Command Recorded", "Huawei Peer Selected", "Infoblox BloxTools Modified", "Microsec e-Szigno Root Certificate Expiring", "Netscreen AV HTTP Trickling Setting Modified", "Netscreen Configuration Erased", "Netscreen Domain Name Changed", "Netscreen Group Added", "Netscreen Hostname Changed", "Netscreen IP Address Pool Modified", "Netscreen MTU Changed", "Netscreen NSM Disabled", "Netscreen NTP Server Disabled", "Netscreen Ping Disabled", "Netscreen Reporting Settings Modified", "Netscreen SIP Disabled", "Netscreen SIP Enabled", "Netscreen SSH Disabled", "Netscreen SSH Enabled", "Netscreen Security Option Disabled", "Netscreen Security Option Enabled", "Netscreen Service Added", "Netscreen Service Deleted", "Netscreen Syslog Setting Changed", "Netscreen System Configuration Saved", "Netscreen Web-Filter Category Created", "Netscreen Web-Filter Category Deleted", "Nortel Gateway Modified", "Panorama Firewall Configuration Failed", "Panorama Firewall Configuration Succeeded", "Samhain Unable To Resolve Client", "SonicOS Host Added", "SonicOS Host Removed", "SonicOS WAN IP Changed", "Sophos UTM Scan Settings Modified", "Sophos UTM Timezone Settings Modified", "Watchguard Configuration File Updated", "Watchguard Firmware Upgrade Completed", "Watchguard Group Added", "Watchguard IP Request", "Watchguard Module Updated")

[Message Type] IN ("Apache File Permission Access Denied", "AppDirector File Deleted", "Audience Failed Download", "Audience Failed Listen", "Audience Successful Download", "Audience Successful Listen", "CimTrak Encrypted Session", "CimTrak Lock Status", "CimTrak Management Console", "CimTrak Message", "CimTrak Remote Connection", "Clic File Created", "Clic File Deleted", "Clic File Location Changed", "Clic File Modified", "Cloudmark Failed To Open File", "Cloudmark Failed To Write File", "CommVault ArchFile Created", "FIS Unauthorized User Access For Task", "HP 3PAR Disk Added", "HP 3PAR Disk Removed", "HP 3PAR Virtual Volume Added", "HP 3PAR Virtual Volume Removed", "HP ProCurve Configuration File Deleted", "LoanHD Failed To Unzip File", "LoanHD File Copied", "LoanHD File Created", "LoanHD File Found", "LoanHD File Moved", "LoanHD File Unzipped", "MOVEit DMZ Failed To Delete File", "MOVEit DMZ File Attached", "MOVEit DMZ File Deleted", "MOVEit DMZ File Renamed", "MOVEit DMZ File Uploaded", "McAfee EPO Files Copied By Push Agent", "Monit Failed To Open File", "Ossec Rootcheck System Message", "Ossec Syscheck Added File", "Ossec Syscheck Agent Started", "Ossec Syscheck Checksum Changed", "Ossec Syscheck Deleted File", "Ossec Syscheck File Created", "Ossec Syscheck File Deleted", "Ossec Syscheck Re-Added File", "SAP BusinessObjects Failed To Open File", "Samhain Client File Modified", "Samhain Configuration File Not Found", "Samhain File Access Denied", "Samhain File Monitoring Completed", "Samhain File Monitoring Failed", "Samhain Server File Modified", "Secret Server Object Created", "StealthINTERCEPT Object Modified", "Symantec Anti-Virus New Virus Definition File Loaded", "Symantec Anti-Virus Previous Virus Definition File Loaded", "Syslog Failed To Write File", "Unix FTP Directory Removed", "Unix FTP Failed To Delete File", "Unix FTP File Deleted", "Unix FTP File Renamed", "Unix FTP Successful Created Directory", "Unix File Monitoring Failed", "Unix SVN Repository Access Failed", "Unix Samba Access Denied", "VMware ESX File Create", "VMware ESX File Delete", "VMware ESX File Renamed")