...
WinEvtLog_Unknown_Security_4799
Conclusion
Using this "unknown" rule, we will catch all so-far not categorized events, adjust their message text and application, and then aggregate ("count") them based on the hostname and that modified application.
...