I didn't see this in the users guide - is there a complete listing of all the event log Event IDs and levels (Info, warning, error) and the messages that go with these?
This would greatly help analysts write rules ahead of time to detect when EMET configuration has changed or when EMET actively blocked an exploit.
Sure, I can collect all events with the source 'EMET' but knowing what the events mean will help security analysts looking at the logs (or an aggregation of logs from machines) really understand what the events are telling them.
What's left is the "figure it out as you go" method - completely experiential learning.
Thanks,
Ted