Audit events have been dropped by the transport
Audit events have been dropped by the real-time event log backup or transport pipeline.
Event ID 1101 is recorded when the security audit subsystem cannot write log entries fast enough or transport queues overflow, causing security events to be permanently dropped. This indicates serious high-volume log flooding or I/O bottleneck issues.
Failure Reason / Root Cause:
Log storage disk saturation, extreme event flooding by an adversary or malfunctioning service, or slow SIEM agent ingestion.
Raw Event XML snippet
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>1101</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2026-07-17T09:54:44.849Z" />
<EventRecordID>1048576</EventRecordID>
<Correlation />
<Execution ProcessID="612" ThreadID="1024" />
<Channel>Security</Channel>
<Computer>DC01.enterprise.internal</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">SYSTEM</Data>
<Data Name="SubjectDomainName">NT AUTHORITY</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<!-- Event telemetry fields specific to Audit events have been dropped by the transport -->
</EventData>
</Event>MITRE ATT&CK mapping
| ID | Technique | Tactic |
|---|---|---|
T1562.002 | Impair Defenses: Disable Windows Event Logging | Defense Evasion |
Recommended actions
- Check storage queue limits and disk latency where the `Security.evtx` file resides.
- Investigate potential denial-of-service or brute-force activities generating excessive log throughput.