Approval Request Id $requestID$ was closed by user '$username$' as ‘$resolvedState$’ with ‘$comment$’.

Approval Request Id $requestID$ was created by user '$username$'.

Duplicate of Approval Request Id $requestID$ was created by user '$username$'.

Approval Request Id $requestID$ was escalated by user '$username$'.

Approval Request Id $requestID$ was modified by user '$username$'.

Approval Request Id $requestID$ was opened by user '$username$'.

Custom Rule '$ruleName$' was created by '$username$'.

Custom Rule '$ruleName$ (Unified)' was created by '$username$'.

‘$ruleName$’ was imported by ‘$username’.

Custom Rule '$ruleName$' was deleted by '$username$'.

Custom Rule '$ruleName$ (Unified)' was deleted by '$username$'.

Custom Rule '$ruleName$' was modified by '$username$'.

Custom Rule '$ruleName$ (Unified)' was modified by '$username$'.

‘$ruleName$’ was imported by ‘$username’.

Device Rule for ‘$ruleName$’ with id ‘$ruleID$’ was created by '$username$'.

Rule for device '$deviceName$' with id ‘$ruleID$’ was removed by '$username$'.

Device Rule ‘$ruleName$’ with id ‘$ruleID$’ was modified by '$username$'.

Approval '$ruleName$' for hash [$hash$] was created by '$username$'.

Approval ‘$ruleName (Unified)’ for hash [$hash$] was created by '$username$'.

File '$filepath$ ' with hash [$hash$] was approved based on Reputation.

$param1$ files were approved based on Reputation.

Notes: This event occurs when the rule is created on the server, not when a file instance is approved. In the last example, ‘$param1$ files’ links to a list of files approved by reputation in this event.

Approval '$ruleName$' for hash [$hash$] was deleted by '$username$'.

Approval ‘$ruleName (Unified)’ for hash [$hash$] was deleted by '$username$'.

Approval of file '$filePathAndName$' with hash [$hash$] was removed based on Reputation.

Approval of $param1$ files were removed based on Reputation.

Notes: This event occurs when the approval rule is deleted on the server, not when approval of a file instance is removed. For the last example, ‘$param1$ files’ is a link to the Files on Computers page where the files whose approvals were removed will be listed if they still exist in their respective locations.

Approval '$ruleName$' for hash [$hash$] was modified by '$username$'.

Approval ‘$ruleName (Unified)’ for hash [$hash$] was modified by '$username$'.

Ban '$name$' for [$hash$] was created by '$username$'.

Ban ‘$name$ (Unified)’ for [$hash$] was created by '$username$'.

Note: $name$ is either the name of the banned file or a user-created name (usually for multi-file bans).

Ban '$name$' for [$hash$] was deleted by '$username$'.

Ban ‘$name$ (Unified)’ for [$hash$] was deleted by '$username$'.

Note: $name$ is the name of the banned file or a user-created name (usually for multi-file bans).

Ban '$name$' for [$hash$] was modified by '$username$'.

Ban ‘$name$ (Unified)’ for [$hash$] was modified by '$username$'.

Note: $name$ is the name of the banned file or a user-created name (usually for multi-file bans).

There are multiple possible descriptions for this subtype. Examples:

File [$hash$] was approved by '$username$'.

File [$hash$] was marked as an installer by '$username$'.

Reputation was disabled for file [$hash$] by '$username$’.

An $param1$ install package $policyName$.msi was scheduled for creation by '$username$'.

Note: Param1 is either empty or “automatic” for packages that allow automatic AD Policy assignment.

Justification Id $param2$ was created by user '$username$'.

Memory Rule '$ruleName$' created by '$username$'.

Memory Rule '$ruleName$ (Unified)' created by '$username$'.

‘$ruleName$’ was imported by ‘$username’.

Memory Rule '$ruleName$' deleted by '$username$'.

Memory Rule '$ruleName$ (Unified)' deleted by '$username$'.

Memory Rule '$ruleName$' modified by '$username$'.

Memory Rule '$ruleName$ (Unified)' modified by '$username$'.

‘$ruleName$’ was imported by ‘$username’.

'$username$' created an AD rule for mapping $param1$ to the Policy $policyName$.

Registry Rule '$ruleName$' created by '$username$'.

Registry Rule '$ruleName$ (Unified)' created by '$username$'.

‘$ruleName$’ was imported by ‘$username’.

Registry Rule '$ruleName$' deleted by '$username$'.

Registry Rule '$ruleName$ (Unified)' deleted by '$username$'.

Registry Rule '$ruleName$' modified by '$username$'.

Registry Rule '$ruleName$ (Unified)' modified by '$username$'.

‘$ruleName$’ was imported by ‘$username’.

Reputation was enabled by '$username$'.

Reputation was disabled by '$username$'.

Reputation settings were modified by '$username$'.

Custom Rules were exported by '$username$'.

Memory Rules were exported by '$username$'.

Registry Rules were exported by '$username$'.

Script Rule '$ruleName$' was created by '$username$'.

Script Rule '$ruleName$' was deleted by '$username$'.

Script Rule '$ruleName$' was modified by '$username$'.

Trusted Directory '$pathName$' on computer '$computer$' is '$param2$'.

Trusted directory '$pathname$' added by '$username$'.

Trusted directory '$pathname$' deleted by '$username$'.

Info,

Warning,

Error

Trusted package '$param1$' from '$source$' has been processed.

Notes: Source may be a computer name or a manifest name. Severity is Info for status imports; Warning for improperly signed or misidentified manifests; Error for all other cases.

Trusted directory '$filePathAndName$' modified by '$username$'.

Pre-approval scan started for '$filePathAndName$'. Approval ID: $param1$. Job ID: $param2$.

Unified rule '$param1$' was overridden by '$username$'