diff --git a/Create-CustomViews.ps1 b/Create-CustomViews.ps1
index 4ccbdfe..20c6812 100644
--- a/Create-CustomViews.ps1
+++ b/Create-CustomViews.ps1
@@ -281,12 +281,12 @@ Write-Host "`nLaunch Event Viwer (eventvwr.exe) and expand Custom Views to use t
 # AgEBMHYwYjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcG
 # A1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEhMB8GA1UEAxMYRGlnaUNlcnQgQXNzdXJl
 # ZCBJRCBDQS0xAhADAZoCOv9YsWvW1ermF/BmMAkGBSsOAwIaBQCgXTAYBgkqhkiG
-# 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNzA0MDYxMjAwNTBa
+# 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNzA0MjcxMzI2NTJa
 # MCMGCSqGSIb3DQEJBDEWBBQjjsKnRRahp8E/oxtMOCizmT6raDANBgkqhkiG9w0B
-# AQEFAASCAQAevhz5h1IaLpwLxoy4lKJ9KbOCHYS5afAlHms7cOSyTBF6wPtErp1+
-# dlKQePXSPQjEnVuunbACbjZ1M1sCRdECPXTxZJN/c6OVE6PzgMLqXukzttdAeF0I
-# JMAv5LTt9mPBb0/Ix4t4YxpZahuIXAj1fp7Kbv+v6//+NidRNs0VPbhgIuBv9CVB
-# 94ugKQWHu3fVPmRMTY7k5Grx/XsXBjQxQbVD7tAAizOAaCFioavYMfR9EsDu+lWA
-# NbBe7BwayCqvyM/TMlKtvh+DIhDortznbJiUT04FKcWSDhn22xUflmt0UTvm5Z0b
-# zStCeO2xNPsL24raX38FXEAanBBlVkx0
+# AQEFAASCAQCclzjqREwCjRhgLSXNCnTn3ginsyBRX5199V5lTHM1km5/G7NCSMeK
+# TEgc0r+1leh1IRJ1N4XDSQRDK3uustzVzetZk49z2iDDNnA3D2l5wwIowEnTzEmi
+# LO4YtQ0WtHNF7WLx73isutQyf2Id7bUy41pKmgWMnnUF11sf64BG6ZGsKIv2kYXE
+# D24Pf8EbVL9prmBRPrSWILRtA8xXoyFtlFPH4zweglJPQ6m5uouXRHTgvnr6d5UY
+# mC9USr4L1p+PZEk6S5RAy0QoPctT2KjvZzq3emIsvpY/qJZrT0wkBHJVpijR7Gpn
+# aHqUWhSNU2a8MuoKR7ajwlCh8fVfv40c
 # SIG # End signature block
diff --git a/Create-Manifest.ps1 b/Create-Manifest.ps1
index 054f574..b04a947 100644
--- a/Create-Manifest.ps1
+++ b/Create-Manifest.ps1
@@ -1,4 +1,4 @@
-<#
+<#
   .SYNOPSIS
   Name: Create-Manifest.ps1
   Version: 1.1
@@ -119,10 +119,10 @@ $xmlWriter.WriteStartElement("instrumentation")
 	$xmlWriter.WriteEndElement() # Closing events
 $xmlWriter.WriteEndElement() # Closing Instrumentation
 $xmlWriter.WriteEndElement()   # Closing instrumentationManifest
- 
+
 # End the XML Document
 $xmlWriter.WriteEndDocument()
- 
+
 # Finish The Document
 $xmlWriter.Finalize
 $xmlWriter.Flush()
@@ -147,8 +147,8 @@ Write-Host "`t `"c:\windows\system32\wevtutil.exe`" im `"$DLLPath\$BaseName.man`
 # SIG # Begin signature block
 # MIIgVAYJKoZIhvcNAQcCoIIgRTCCIEECAQExDzANBglghkgBZQMEAgEFADB5Bgor
 # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG
-# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCClCmr0opDAE+lP
-# 3KmO1Yo/zh3Uyu3u6vT24xFcxuNZ9aCCG14wggO3MIICn6ADAgECAhAM5+DlF9hG
+# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCCAz875ReOXG/tv
+# zTHsBCsL3pUtOzV1o4CS9g/FpRzpnaCCG14wggO3MIICn6ADAgECAhAM5+DlF9hG
 # /o/lYPwb8DA5MA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQK
 # EwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNV
 # BAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBa
@@ -300,22 +300,22 @@ Write-Host "`t `"c:\windows\system32\wevtutil.exe`" im `"$DLLPath\$BaseName.man`
 # U2lnbmluZyBDQQIQDhlON30mOhkOirPIWrUoYzANBglghkgBZQMEAgEFAKCBhDAY
 # BgorBgEEAYI3AgEMMQowCKACgAChAoAAMBkGCSqGSIb3DQEJAzEMBgorBgEEAYI3
 # AgEEMBwGCisGAQQBgjcCAQsxDjAMBgorBgEEAYI3AgEVMC8GCSqGSIb3DQEJBDEi
-# BCAgSxj3/sCjD2c91lGljGzSQSzSR6JpgbNciSzyWDcFwjANBgkqhkiG9w0BAQEF
-# AASCAQBOZx7FjhF/9BDJADEUgdaXB3tRpnCT9wLLby/LsBNI3Zcq2//ujc4ltmbt
-# i1+fg2IT7nt/IWYS0s/XSMi4DQ0rdT3a/WeMIaQBa7zxytlqUFOmBdMoDc3AB/Nh
-# l4sYYFwSHwWRDhNeNXZ+cb5+GjSBPn9Yy1sRxgC/Uap0VW9e1zRWDJtxpxG9ppWN
-# pEZa8EMdS5s0TNV8bOI3XGu4uUnX5gUSyia1ISc9vls8Lb0wZFqk2wUz1sU2mTep
-# 9n01bXJa0w+N2hunlVWXQUVLWwdU+9BkbS9gprUV4/5zZwqdgzT7aSonEn9U3HDw
-# lM5ZkozbE15nP+qTDQ1wTzUvHELvoYICDzCCAgsGCSqGSIb3DQEJBjGCAfwwggH4
+# BCCBZH5LnhW1onlsB9QZnEUfx9z3/zhBvlSwPjQtkT5OeDANBgkqhkiG9w0BAQEF
+# AASCAQAbStzdKqUtm/4bowcmeKfHPkBjBs/Hv0iT+ah9xnK9jgSfG6gs3sHYY0ec
+# 2dAmYXfKHcbwtrmuIL3Chyzzo9kyBuKzsslSbjMFU87icX4t04IbORIsv7EH4mml
+# KX6pPMSfz2S5VHf1YoIBH7UXsH3lb1WMA/rqJ8yrcZKg1WST9LYUqv4fsH7BHBYE
+# LJcqbbVds0I9OsMSDy7UGXVM/Jzw5rH/1O0x/H3NLbPkBSZZ6f5jsJaeaOTS5M5f
+# zQDGKb+zjyNMFYQHaWxuAky1kzqRuWlYe1csKoXbBvxfeXP68DxnoeGnsbJ9epyC
+# hyBjzo99p8mXQAUJ2z9venmvHqV7oYICDzCCAgsGCSqGSIb3DQEJBjGCAfwwggH4
 # AgEBMHYwYjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcG
 # A1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEhMB8GA1UEAxMYRGlnaUNlcnQgQXNzdXJl
 # ZCBJRCBDQS0xAhADAZoCOv9YsWvW1ermF/BmMAkGBSsOAwIaBQCgXTAYBgkqhkiG
-# 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNzA0MDYxMjAwNTFa
-# MCMGCSqGSIb3DQEJBDEWBBQFcCtVgUTgayMN3C3fDrfJxF1SLDANBgkqhkiG9w0B
-# AQEFAASCAQChXxUj0qqDiQZlu0wRdPa/3YLpxT5gORcPNBKkUt7oUTIOzZGytfxN
-# RJFjm40NAPqgEGcdEkDH6WMzZ7eEpE2T96l9d8d5nn3hbyr+OfWGvSJ81WRQ6P0W
-# Gzx9448EEkWa7vTHXSCwVcLFWtYIXGP1o/Ijo94tplLrAR4tYWIrql+ECuy0AEVZ
-# uAfZWdKsZTO43yzAvj/7sODAp2ZrTSnuL7tcGZW9i+7vGuAKOVNPQx6kUd+DsI7+
-# Kz7rchZdZjmcgfmhWnH3RMDxTxTDC8E8waHELEfmpJCEEMhcmE5EiJhUaVcnfQj6
-# Lxy7VK+G+/tXwAaOXcWA2YaQ21HShPW8
+# 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNzA0MjcxMzI4NTZa
+# MCMGCSqGSIb3DQEJBDEWBBQYe1EBmfCyrVtJc5bOQ7EEe1tR+zANBgkqhkiG9w0B
+# AQEFAASCAQA1O0ow+OyJeUFbdHvCQRJ5jKrxYWmglJvKZN2SSa/DHvvcffnmqRO/
+# b7CjwJrZKULDf7r+QTmba2QeRff0VdybnFIZqv+0vUR7TEKhiU1Db7Ekjhwh/mIP
+# G00wgFyfr+aim8oSrWVIoQ3j2YQketG/GfF+r7zYL2TN9q81z9Sk3cCeVm+e5iS9
+# FqtirVu2yNK85F/4gCTfbHi1bz7dVrSwoXfiZZ/gTKPajA6biQQXOZGV684YwqiD
+# Cz8re1vhtD5dOB4QJsgbnx95iioVbkDn7Yfe80IWghECA487xAtnlVb8RN+uC9m0
+# qessUvZkWtTKQUz1xmX6HP/DfNfWPmvG
 # SIG # End signature block
diff --git a/Create-Subscriptions.ps1 b/Create-Subscriptions.ps1
index a7ff734..40ccd50 100644
--- a/Create-Subscriptions.ps1
+++ b/Create-Subscriptions.ps1
@@ -1,7 +1,7 @@
 <#
   .SYNOPSIS
   Name: Create-Subscriptions.ps1
-  Version: 1.1
+  Version: 1.2
   Author: Russell Tomkins - Microsoft Premier Field Engineer
   Blog: https://aka.ms/russellt
 
@@ -19,11 +19,16 @@
   .EXAMPLE
   Create and Import the WEC subscriptions (disabled by default)
   Create-Subscriptions.ps1 -InputFile DCEvents.csv 
-  
+
   .EXAMPLE
   Create, Import and force enable the WEC subscriptions
   Create-Subscriptions.ps1 -InputFile <inputfile.csv> -CreateEnabled
 
+   .EXAMPLE
+  Create and Import the WEC subscriptions (disabled by default). Tell the server to
+  send existing and new events that that match the subscription
+  Create-Subscriptions.ps1 -InputFile DCEvents.csv -ReadExistingEvents
+  
   .EXAMPLE
   Only create the WEC subscription files, do not import them.
   Create-Subscriptions.ps1 -InputFile <inputfile.csv> -NoImport
@@ -40,6 +45,10 @@
   .PARAMETER NoImport
   Creates the subscriptions files, but does not import them
 
+  .PARAMETER ReadExistingEvents
+  Creates the subscriptions files and instructs the servers to send existing events that match the criteria
+  through to the collector.
+
   LEGAL DISCLAIMER
   This Sample Code is provided for the purpose of illustration only and is not
   intended to be used in a production environment.  THIS SAMPLE CODE AND ANY
@@ -69,7 +78,8 @@
     [Parameter(Mandatory=$true)][ValidateNotNullOrEmpty()][String]$InputFile,
     [Parameter(Mandatory=$false)][string]$OutputFolder=$PWD,
     [Parameter(Mandatory=$false)][Switch]$CreateEnabled,
-    [Parameter(Mandatory=$false)][Switch]$NoImport)
+    [Parameter(Mandatory=$false)][Switch]$NoImport,
+    [Parameter(Mandatory=$false)][Switch]$ReadExistingEvents)
 
 # Configure and Start the Windows Event Collector Services except if we are not importing.
 If (!($NoImport)){
@@ -145,7 +155,10 @@ ForEach($Channel in $CustomChannels){
 	        	$xmlWriter.WriteCData('<QueryList><Query Id="0" Path="' + $Channel.QueryPath + '">' + $Channel.Query + '</Query></QueryList>')
 		$xmlWriter.WriteEndElement() # Closing Query
 	
-		$xmlWriter.WriteElementString("ReadExistingEvents","True")
+		If (ReadExistingEvents){
+			$xmlWriter.WriteElementString("ReadExistingEvents","True")}
+		Else{
+			$xmlWriter.WriteElementString("ReadExistingEvents","False")}
 		$xmlWriter.WriteElementString("TransportName","HTTP")
 		$xmlWriter.WriteElementString("ContentFormat","events")
 		$xmlWriter.WriteStartElement("locale")	
@@ -194,8 +207,8 @@ Else{
 # SIG # Begin signature block
 # MIIgVAYJKoZIhvcNAQcCoIIgRTCCIEECAQExDzANBglghkgBZQMEAgEFADB5Bgor
 # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG
-# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCDmRTCSV+qfcL+6
-# pOqLspQirwP7zaAf9qnDaQCuzmm48qCCG14wggO3MIICn6ADAgECAhAM5+DlF9hG
+# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCDtJ3gGV/S5Sv6I
+# 35iCLqR59MWvViYEW9NIcfmEPSC/L6CCG14wggO3MIICn6ADAgECAhAM5+DlF9hG
 # /o/lYPwb8DA5MA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQK
 # EwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNV
 # BAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBa
@@ -347,22 +360,22 @@ Else{
 # U2lnbmluZyBDQQIQDhlON30mOhkOirPIWrUoYzANBglghkgBZQMEAgEFAKCBhDAY
 # BgorBgEEAYI3AgEMMQowCKACgAChAoAAMBkGCSqGSIb3DQEJAzEMBgorBgEEAYI3
 # AgEEMBwGCisGAQQBgjcCAQsxDjAMBgorBgEEAYI3AgEVMC8GCSqGSIb3DQEJBDEi
-# BCBdRdQcl3uoARDQBCqg/cwdZleMA9onGTt8ho1IDiiCqDANBgkqhkiG9w0BAQEF
-# AASCAQB82JthTsuUn9nAfJm4u94njOdCcya64ThMcwTw6gjtOMmW8lys7gnoxCvB
-# hOBF+DVlOcBp0LUMN4yYZM8M9HxSjZTdQ0efzcEQZRfnhF5MvRyWSwnfG+dhaC2U
-# 26WTx3F9CPiJhZlbbC13jcZmlkGmP+5tY7kXnn+QTIqO9KO4Se9BYkRR8u4lH5JS
-# 3NwEzvyWauHblG5jpAY6gGGb63xl/bC1lc2NEkcRwE+bkPjPyp8k4P4CjGsseouJ
-# VuLqLv8PP2nk1SAoYzTPj3qPLPhi9UuLV9rk4AWTLPbro1qbrGim0LAS9ccKknBG
-# 9NCZa6tmIVjcW5Lql7UKsjmn6wlnoYICDzCCAgsGCSqGSIb3DQEJBjGCAfwwggH4
+# BCBLWOBo2UAxFjk14XSFqoGTOrn/xQNGTzWSap7ffGIgNTANBgkqhkiG9w0BAQEF
+# AASCAQCprQAn7ja7gwPPepxbzj2x91vB6E8qWAiJPd/FoCUbLgW3fPBd/YVcPVR+
+# ZFXwrepAa47oy7ClBq4ZT4ZZqZ1SxkZtyECsrsVSJNLgPkxp5Sfb2p/M7bLyp9Hf
+# cwH2L80JYg/v6u1YgqEWjRluwB9KGl2IYD40krgPcc7vg/lKvB4pSfr4ny62kTnY
+# OwnHCWTIm0B8m04TYF7/Pr0FkU2TO1hZJjIJiSi3ttDK/zO3L2VszDw5y6V4WUi9
+# T2F7+BGZn6Yq4rn7E7gXMg5XOZbIXRIvtZxigQRC/BqPca2RCc/2EHc3R9l8sKHN
+# O7oYSrvYwo48fHkkukthOXVnweVpoYICDzCCAgsGCSqGSIb3DQEJBjGCAfwwggH4
 # AgEBMHYwYjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcG
 # A1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEhMB8GA1UEAxMYRGlnaUNlcnQgQXNzdXJl
 # ZCBJRCBDQS0xAhADAZoCOv9YsWvW1ermF/BmMAkGBSsOAwIaBQCgXTAYBgkqhkiG
-# 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNzA0MDYxMjAwNTNa
-# MCMGCSqGSIb3DQEJBDEWBBQUSafeu49EHQNcvAKNKKEXcURbrjANBgkqhkiG9w0B
-# AQEFAASCAQBt8bsMZ+lx7gSEFFX1I3cRmEsv7JmDxsE8z/SJDd/l9Ua2Tf6hnTnl
-# U6hhIV7VQAEDLq9CaATkug3QjykqDYRWOWHAKZz3ngSulxfN/AQLrZP1tLByxfxW
-# 8pCinR0sIO+jggioo1EcMJeajEEtUrWJU/280MWcEgs8ghlQedfoDPMxxoWwBZv9
-# 2ovdiXp4qTkvq0bMEt/p19doeYeQJC68cFUob2l3MN4bvkFW1AmrmhuRvr3VckY+
-# GglJxeANfnFKHHwjsi6WEWzNY2m7SJUwuaF7PrcAi2eNq9t2rMUpQrBts6xlfrbw
-# 9lOStks/uV58iNSRQfFxEqX1lSHbkO5O
+# 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNzA0MjcxMzIyNTJa
+# MCMGCSqGSIb3DQEJBDEWBBQRkXykh7mEdzFeGqVMG4nSp7CClzANBgkqhkiG9w0B
+# AQEFAASCAQBu6NzSTk5g3J60pRhjstfyvGYMNr9Hm19H2DsrWJr6o+5TZbIvZAGD
+# IemInFkHdjVEbx08zMGr7TfpydlZ0hIrRQ4xb2DR6Xfo/krdEmXtySh4M3cviyKE
+# NFGrxiPdms3nV7jp9hV3S5CN85hiIPqNJjjIiBudG7bj+5QZXeaUnoJSjLxdvHAw
+# LTthTS006wAuq1Bu+7CMTt/eAfGNouL77c7yFTdaP2BELssFzPgo4M4n9wZJvsYT
+# Wgvw+ucWWwe70y2bg0TBgPUf+2oCvfFoa0qEwo1Df9EbLDsZP2AWGlBsxY27ECS3
+# jpOOPycPph0sudEF6unyrHsLX7uGP6Eh
 # SIG # End signature block
diff --git a/DCEvents.csv b/DCEvents.csv
index f3943a1..07bc016 100644
--- a/DCEvents.csv
+++ b/DCEvents.csv
@@ -1,10 +1,13 @@
 ProviderSymbol,ProviderName,ProviderGUID,ChannelSymbol,ChannelName,QueryPath,Query,TargetGroup
-DC_AL_CVF_EVENTS,Domain Controllers-Credential Validation-Failure,{57EE544A-1408-4D96-80D2-C9E0F8DA51F2},DC_AL_CVF_DISABLEDEXPIREDLOCKEDOUT,Domain Controllers-Credential Validation-Failure/Validation Failure Disabled Expired Locked Out,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4768)]] and *[EventData[Data[@Name='Status']='0x12']]</Select><Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4771)]] and *[EventData[Data[@Name='Status']='0x12']]</Select><Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4776)]] and *[EventData[Data[@Name='Status']='0xC0000072']]</Select><Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4776)]] and *[EventData[Data[@Name='Status']='0xC0000234']]</Select><Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4776)]] and *[EventData[Data[@Name='Status']='0xc0000193']]</Select><Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4776)]] and *[EventData[Data[@Name='Status']='0xC000006F']]</Select>",Domain Controllers
-DC_AL_CVF_EVENTS,Domain Controllers-Credential Validation-Failure,{57EE544A-1408-4D96-80D2-C9E0F8DA51F2},DC_AL_CVF_INVALIDPASSWORD,Domain Controllers-Credential Validation-Failure/Validation Failure Invalid Password,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4771)]] and *[EventData[Data[@Name='Status']='0x18']]</Select><Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4776)]] and *[EventData[Data[@Name='Status']='0xC000006A']]</Select>",Domain Controllers
-DC_AL_CVF_EVENTS,Domain Controllers-Credential Validation-Failure,{57EE544A-1408-4D96-80D2-C9E0F8DA51F2},DC_AL_CVF_INVALIDUSER,Domain Controllers-Credential Validation-Failure/Validation Failure Invalid Username,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4768)]] and *[EventData[Data[@Name='Status']='0x6']]</Select><Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4776)]] and *[EventData[Data[@Name='Status']='0xC0000064']]</Select>",Domain Controllers
-DC_AL_CVF_EVENTS,Domain Controllers-Credential Validation-Failure,{57EE544A-1408-4D96-80D2-C9E0F8DA51F2},DC_AL_CVF_PASSWORDEXPIRED,Domain Controllers-Credential Validation-Failure/Validation Failure Password Expired,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4768)]] and *[EventData[Data[@Name='Status']='0x17']]</Select><Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4776)]] and *[EventData[Data[@Name='Status']='0xC0000071']]</Select>",Domain Controllers
-DC_AL_CVF_EVENTS,Domain Controllers-Credential Validation-Failure,{57EE544A-1408-4D96-80D2-C9E0F8DA51F2},DC_AL_CVF_RESTRICTIONS,Domain Controllers-Credential Validation-Failure/Validation Failure Workstation Restrictions,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4768)]] and *[EventData[Data[@Name='Status']='0xC']]</Select><Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4776)]] and *[EventData[Data[@Name='Status']='0xC0000070']]</Select>",Domain Controllers
-DC_AL_CVS_EVENTS,Domain Controllers-Credential Validation-Successful,{23A75316-1AE6-4B6C-9417-C3C7DD6BB730},DC_AL_CVS_LOGON,Domain Controllers-Credential Validation-Successful/Validation Successful,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4768)]] and *[EventData[Data[@Name='Status']='0x0']]</Select><Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4769)]] and *[EventData[Data[@Name='Status']='0x0']]</Select><Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4776)]] and *[EventData[Data[@Name='Status']='0x0']]</Select>",Domain Controllers
+DC_AL_CVF_EVENTS,Domain Controllers-Account Logon-Failure,{57EE544A-1408-4D96-80D2-C9E0F8DA51F2},DC_AL_CVF_DISABLEDEXPIREDLOCKEDOUT,Domain Controllers-Account Logon-Failure/Account Logon Failure Disabled Expired Locked Out,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4768)]] and *[EventData[Data[@Name='Status']='0x12']]</Select><Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4771)]] and *[EventData[Data[@Name='Status']='0x12']]</Select><Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4776)]] and *[EventData[Data[@Name='Status']='0xC0000072']]</Select><Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4776)]] and *[EventData[Data[@Name='Status']='0xC0000234']]</Select><Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4776)]] and *[EventData[Data[@Name='Status']='0xc0000193']]</Select><Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4776)]] and *[EventData[Data[@Name='Status']='0xC000006F']]</Select>",Domain Controllers
+DC_AL_CVF_EVENTS,Domain Controllers-Account Logon-Failure,{57EE544A-1408-4D96-80D2-C9E0F8DA51F2},DC_AL_CVF_INVALIDPASSWORD,Domain Controllers-Account Logon-Failure/Account Logon Failure Invalid Password,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4771)]] and *[EventData[Data[@Name='Status']='0x18']]</Select><Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4776)]] and *[EventData[Data[@Name='Status']='0xC000006A']]</Select>",Domain Controllers
+DC_AL_CVF_EVENTS,Domain Controllers-Account Logon-Failure,{57EE544A-1408-4D96-80D2-C9E0F8DA51F2},DC_AL_CVF_INVALIDUSER,Domain Controllers-Account Logon-Failure/Account Logon Failure Invalid Username,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4768)]] and *[EventData[Data[@Name='Status']='0x6']]</Select><Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4776)]] and *[EventData[Data[@Name='Status']='0xC0000064']]</Select>",Domain Controllers
+DC_AL_CVF_EVENTS,Domain Controllers-Account Logon-Failure,{57EE544A-1408-4D96-80D2-C9E0F8DA51F2},DC_AL_CVF_PASSWORDEXPIRED,Domain Controllers-Account Logon-Failure/Account Logon Failure Password Expired,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4768)]] and *[EventData[Data[@Name='Status']='0x17']]</Select><Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4776)]] and *[EventData[Data[@Name='Status']='0xC0000071']]</Select>",Domain Controllers
+DC_AL_CVF_EVENTS,Domain Controllers-Account Logon-Failure,{57EE544A-1408-4D96-80D2-C9E0F8DA51F2},DC_AL_CVF_RESTRICTIONS,Domain Controllers-Account Logon-Failure/Account Logon Failure Workstation Restrictions,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4768)]] and *[EventData[Data[@Name='Status']='0xC']]</Select><Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4776)]] and *[EventData[Data[@Name='Status']='0xC0000070']]</Select>",Domain Controllers
+DC_AL_CVF_EVENTS,Domain Controllers-Account Logon-Failure,{57EE544A-1408-4D96-80D2-C9E0F8DA51F2},DC_AL_CVF_TGS,Domain Controllers-Account Logon-Failure/Account Logon Failure Kerberos TGS Failure,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4769)]]</Select><Suppress Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4769)]] and *[EventData[Data[@Name='Status']='0x0']]</Suppress>",Domain Controllers
+DC_AL_CVS_EVENTS,Domain Controllers-Account Logon-Successful,{23A75316-1AE6-4B6C-9417-C3C7DD6BB730},DC_AL_CVS_CV,Domain Controllers-Account Logon-Successful/Account Logon Success Credential Validation,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4776)]] and *[EventData[Data[@Name='Status']='0x0']]</Select>",Domain Controllers
+DC_AL_CVS_EVENTS,Domain Controllers-Account Logon-Successful,{23A75316-1AE6-4B6C-9417-C3C7DD6BB730},DC_AL_CVS_AS, Domain Controllers-Account Logon-Successful/Account Logon Success Kerberos AS,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4768)]] and *[EventData[Data[@Name='Status']='0x0']]</Select>",Domain Controllers
+DC_AL_CVS_EVENTS,Domain Controllers-Account Logon-Successful,{23A75316-1AE6-4B6C-9417-C3C7DD6BB730},DC_AL_CVS_TGS,Domain Controllers-Account Logon-Successful/Account Logon Success Kerberos TGS,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4769)]] and *[EventData[Data[@Name='Status']='0x0']]</Select>",Domain Controllers
 DC_AM_CM_EVENTS,Domain Controllers-Object Management-Computer,{FF41F360-52E6-4513-8D87-77B85A4FE6A1},DC_AM_CM_CHANGED,Domain Controllers-Object Management-Computer/Computer Changed,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4742)]]</Select>",Domain Controllers
 DC_AM_CM_EVENTS,Domain Controllers-Object Management-Computer,{FF41F360-52E6-4513-8D87-77B85A4FE6A1},DC_AM_CM_CREATED,Domain Controllers-Object Management-Computer/Computer Created,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4741)]]</Select>",Domain Controllers
 DC_AM_CM_EVENTS,Domain Controllers-Object Management-Computer,{FF41F360-52E6-4513-8D87-77B85A4FE6A1},DC_AM_CM_DELETED,Domain Controllers-Object Management-Computer/Computer Deleted,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4743)]]</Select>",Domain Controllers
@@ -38,7 +41,7 @@ DC_LL_LF_EVENTS,Domain Controllers-Logon-Failure,{0D2F6021-4853-4092-B688-FB9BC9
 DC_LL_LF_EVENTS,Domain Controllers-Logon-Failure,{0D2F6021-4853-4092-B688-FB9BC9330BB0},DC_LL_LF_LOCALINTERACTIVE,Domain Controllers-Logon-Failure/Logon Failure Interactive (2),Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4625)]] and *[EventData[Data[@Name='LogonType']='2']]</Select>",Domain Controllers
 DC_LL_LF_EVENTS,Domain Controllers-Logon-Failure,{0D2F6021-4853-4092-B688-FB9BC9330BB0},DC_LL_LF_NETWORK,Domain Controllers-Logon-Failure/Logon Failure Network (3),Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4625)]] and *[EventData[Data[@Name='LogonType']='3']]</Select>",Domain Controllers
 DC_LL_LF_EVENTS,Domain Controllers-Logon-Failure,{0D2F6021-4853-4092-B688-FB9BC9330BB0},DC_LL_LF_REMOTEINTERACTIVE,Domain Controllers-Logon-Failure/Logon Failure Remote Interactive (10),Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4625)]] and *[EventData[Data[@Name='LogonType']='10']]</Select>",Domain Controllers
-DC_LL_LF_EVENTS,Domain Controllers-Logon-Failure,{0D2F6021-4853-4092-B688-FB9BC9330BB0},DC_LL_LF_SERVICE,Domain Controllers-Logon-Failure/Logon Failure Serivice (5),Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4625)]] and *[EventData[Data[@Name='LogonType']='5']]</Select>",Domain Controllers
+DC_LL_LF_EVENTS,Domain Controllers-Logon-Failure,{0D2F6021-4853-4092-B688-FB9BC9330BB0},DC_LL_LF_SERVICE,Domain Controllers-Logon-Failure/Logon Failure Service (5),Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4625)]] and *[EventData[Data[@Name='LogonType']='5']]</Select>",Domain Controllers
 DC_LL_LF_EVENTS,Domain Controllers-Logon-Failure,{0D2F6021-4853-4092-B688-FB9BC9330BB0},DC_LL_LF_UNLOCK,Domain Controllers-Logon-Failure/Logon Failure Unlock (7),Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4625)]] and *[EventData[Data[@Name='LogonType']='7']]</Select>",Domain Controllers
 DC_LL_LS_EVENTS,Domain Controllers-Logon-Success,{24ECD28C-778B-46C6-9486-17EF931F15A2},DC_LL_LS_BATCH,Domain Controllers-Logon-Success/Logon Success Batch (4),Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4624)]] and *[EventData[Data[@Name='LogonType']='4']]</Select>",Domain Controllers
 DC_LL_LS_EVENTS,Domain Controllers-Logon-Success,{24ECD28C-778B-46C6-9486-17EF931F15A2},DC_LL_LS_LOCALINTERACTIVE,Domain Controllers-Logon-Success/Logon Success Interactive (2),Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4624)]] and *[EventData[Data[@Name='LogonType']='2']]</Select><Suppress Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4624)]] and *[EventData[Data[@Name='TargetDomainName']='Window Manager']]</Suppress>",Domain Controllers
@@ -46,3 +49,6 @@ DC_LL_LS_EVENTS,Domain Controllers-Logon-Success,{24ECD28C-778B-46C6-9486-17EF93
 DC_LL_LS_EVENTS,Domain Controllers-Logon-Success,{24ECD28C-778B-46C6-9486-17EF931F15A2},DC_LL_LS_REMOTEINTERACTIVE,Domain Controllers-Logon-Success/Logon Success Remote Interactive (10),Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4624)]] and *[EventData[Data[@Name='LogonType']='10']]</Select>",Domain Controllers
 DC_LL_LS_EVENTS,Domain Controllers-Logon-Success,{24ECD28C-778B-46C6-9486-17EF931F15A2},DC_LL_LS_SERVICE,Domain Controllers-Logon-Success/Logon Success Service (5),Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4624)]] and *[EventData[Data[@Name='LogonType']='5']]</Select><Suppress Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4624)]] and *[EventData[Data[@Name='TargetDomainName']='NT AUTHORITY']]</Suppress>",Domain Controllers
 DC_LL_LS_EVENTS,Domain Controllers-Logon-Success,{24ECD28C-778B-46C6-9486-17EF931F15A2},DC_LL_LS_UNLOCK,Domain Controllers-Logon-Success/Logon Success Unlock (7),Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4624)]] and *[EventData[Data[@Name='LogonType']='7']]</Select>",Domain Controllers
+DC_DS_EVENTS,Domain Controllers-Directory Services-LDAP Weak Binds,{22301b37-f278-404d-bd04-ff63c12796f1},DC_DS_LDAP_WEAKALLOWEDSUMMARY,Domain Controllers-Directory Services-LDAP Weak Binds/LDAP Weak Bind Allowed Summary,Directory Service,"<Select Path=""Directory Service"">*[System[Provider[@Name='Microsoft-Windows-ActiveDirectory_DomainService'] and (EventID=2887)]]</Select>",Domain Controllers
+DC_DS_EVENTS,Domain Controllers-Directory Services-LDAP Weak Binds,{22301b37-f278-404d-bd04-ff63c12796f1},DC_DS_LDAP_WEAKBLOCKEDSUMMARY,Domain Controllers-Directory Services-LDAP Weak Binds/LDAP Weak Bind Blocked Summary,Directory Service,"<Select Path=""Directory Service"">*[System[Provider[@Name='Microsoft-Windows-ActiveDirectory_DomainService'] and (EventID=2888)]]</Select>",Domain Controllers
+DC_DS_EVENTS,Domain Controllers-Directory Services-LDAP Weak Binds,{22301b37-f278-404d-bd04-ff63c12796f1},DC_DS_LDAP_WEAKATTEMPTED,Domain Controllers-Directory Services-LDAP Weak Binds/LDAP Weak Bind Attempted,Directory Service,"<Select Path=""Directory Service"">*[System[Provider[@Name='Microsoft-Windows-ActiveDirectory_DomainService'] and (EventID=2889)]]</Select>",Domain Controllers
\ No newline at end of file