Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.

Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service

Detects suspicious session with two users present

This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages