AzStackHciStandaloneObservability/package/bin/GMA/Monitoring/Agent/initconfig/2.0/Standard/ReservedEventsTeam1Offline-HostIds.xml
|
<?xml version="1.0" encoding="utf-8"?>
<MonitoringManagement version="1.0" timestamp="2022-09-09T18:03:54.8774890Z"> <!-- Autogenerated version comment - DO NOT REMOVE: AzSecPackShipVersion=4.22.0.2 --> <Events> <WindowsEventLogSubscriptions> <!-- Security events --> <!-- Capture all Security events that do not require further filtering, excluding unnecessary or high-volume events --> <Subscription eventName="HostIdsSecurityLocal" query="Security!*[System[(EventID!=4624) and (EventID!=4634) and (EventID!=4663) and (EventID!=4672) and (EventID!=4769) and (EventID!=5156) and (EventID!=5145) and (EventID!=5158) and (EventID!=5447) and (EventID!=33205)]]" storeType="Local"> <Column name="TimeCreated" type="mt:utc" defaultAssignment=""> <Value>/Event/System/TimeCreated/@SystemTime</Value> </Column> <Column name="Computer" defaultAssignment=""> <Value>/Event/System/Computer</Value> </Column> <Column name="EventProvider" defaultAssignment=""> <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="EventType" type="mt:int32" defaultAssignment="0"> <Value>/Event/System/EventID</Value> </Column> <Column name="EventPayload" defaultAssignment=""> <Value>/Event/EventData/Data | /Event/UserData/*/* | /Event/UserData/*</Value> </Column> <Column name="Level" type="mt:int32" defaultAssignment="4"> <Value>/Event/System/Level</Value> </Column> </Subscription> <!-- Capture Security event 4624, excluding events with LogonType=3 --> <Subscription eventName="HostIdsSecurityLocal" query="Security!*[System[(EventID=4624)] and (EventData/Data[@Name='LogonType']!=3)]" storeType="Local"> <Column name="TimeCreated" type="mt:utc" defaultAssignment=""> <Value>/Event/System/TimeCreated/@SystemTime</Value> </Column> <Column name="Computer" defaultAssignment=""> <Value>/Event/System/Computer</Value> </Column> <Column name="EventProvider" defaultAssignment=""> <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="EventType" type="mt:int32" defaultAssignment="0"> <Value>/Event/System/EventID</Value> </Column> <Column name="EventPayload" defaultAssignment=""> <Value>/Event/EventData/Data | /Event/UserData/*/* | /Event/UserData/*</Value> </Column> <Column name="Level" type="mt:int32" defaultAssignment="4"> <Value>/Event/System/Level</Value> </Column> </Subscription> <!-- Capture Security event 4663. These events are filtered to include only certain object types in a DerivedEvent. --> <Subscription eventName="HostIdsSecurityObjAccessLocal" query="Security!*[System[(EventID=4663)]]" storeType="Local"> <Column name="TimeCreated" type="mt:utc" defaultAssignment=""> <Value>/Event/System/TimeCreated/@SystemTime</Value> </Column> <Column name="Computer" defaultAssignment=""> <Value>/Event/System/Computer</Value> </Column> <Column name="EventProvider" defaultAssignment=""> <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="EventType" type="mt:int32"> <Value>/Event/System/EventID</Value> </Column> <Column name="EventPayload" defaultAssignment=""> <Value>/Event/EventData/Data | /Event/UserData/*/* | /Event/UserData/*</Value> </Column> <Column name="ObjectName" defaultAssignment=""> <Value>/Event/EventData/Data[@Name='ObjectName']</Value> </Column> <Column name="Level" type="mt:int32" defaultAssignment="4"> <Value>/Event/System/Level</Value> </Column> </Subscription> <!-- System events --> <!-- Capture System events --> <Subscription eventName="HostIdsSystemLocal" query="System!*[System[Provider[@Name='Microsoft-Windows-Eventlog'] and (EventID=104)] or System[Provider[@Name='Service Control Manager'] and (EventID=7034 or EventID=7045)]]" storeType="Local"> <Column name="TimeCreated" type="mt:utc" defaultAssignment=""> <Value>/Event/System/TimeCreated/@SystemTime</Value> </Column> <Column name="Computer" defaultAssignment=""> <Value>/Event/System/Computer</Value> </Column> <Column name="EventProvider" defaultAssignment=""> <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="EventType" type="mt:int32"> <Value>/Event/System/EventID</Value> </Column> <Column name="EventPayload" defaultAssignment=""> <Value>/Event/EventData/Data | /Event/UserData/*/* | /Event/UserData/*</Value> </Column> <Column name="Level" type="mt:int32" defaultAssignment="4"> <Value>/Event/System/Level</Value> </Column> </Subscription> <!-- Capture Antimalware events --> <Subscription eventName="HostIdsSystemLocal" query="System!*[System[Provider[@Name='Microsoft Antimalware'] and (EventID=1116 or EventID=1117 or EventID=1118 or EventID=1119 or EventID=2001 or EventID=5007)]]" storeType="Local"> <Column name="TimeCreated" type="mt:utc" defaultAssignment=""> <Value>/Event/System/TimeCreated/@SystemTime</Value> </Column> <Column name="Computer" defaultAssignment=""> <Value>/Event/System/Computer</Value> </Column> <Column name="EventProvider" defaultAssignment=""> <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="EventType" type="mt:int32"> <Value>/Event/System/EventID</Value> </Column> <Column name="EventPayload" defaultAssignment=""> <Value>/Event/EventData/Data | /Event/UserData/*/* | /Event/UserData/*</Value> </Column> <Column name="Level" type="mt:int32" defaultAssignment="4"> <Value>/Event/System/Level</Value> </Column> </Subscription> <!-- Capture Antimalware events on Server 2016 --> <Subscription eventName="HostIdsSystemLocal" query="Microsoft-Windows-Windows Defender/Operational!*[System[(EventID=1116 or EventID=1117 or EventID=1118 or EventID=1119 or EventID=2001 or EventID=5007)]]" storeType="Local"> <Column name="TimeCreated" type="mt:utc" defaultAssignment=""> <Value>/Event/System/TimeCreated/@SystemTime</Value> </Column> <Column name="Computer" defaultAssignment=""> <Value>/Event/System/Computer</Value> </Column> <Column name="EventProvider" defaultAssignment=""> <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="EventType" type="mt:int32"> <Value>/Event/System/EventID</Value> </Column> <Column name="EventPayload" defaultAssignment=""> <Value>/Event/EventData/Data | /Event/UserData/*/*</Value> </Column> <Column name="Level" type="mt:int32" defaultAssignment="4"> <Value>/Event/System/Level</Value> </Column> </Subscription> <!-- Capture AppLocker events --> <Subscription eventName="HostIdsAppLockerLocal" query="Microsoft-Windows-AppLocker/EXE and DLL!*" storeType="Local"> <Column name="TimeCreated" type="mt:utc" defaultAssignment=""> <Value>/Event/System/TimeCreated/@SystemTime</Value> </Column> <Column name="Computer" defaultAssignment=""> <Value>/Event/System/Computer</Value> </Column> <Column name="EventProvider" defaultAssignment=""> <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="EventType" type="mt:int32"> <Value>/Event/System/EventID</Value> </Column> <Column name="EventPayload" defaultAssignment=""> <Value>/Event/EventData/Data | /Event/UserData/*/*</Value> </Column> <Column name="Level" type="mt:int32" defaultAssignment="4"> <Value>/Event/System/Level</Value> </Column> </Subscription> <Subscription eventName="HostIdsAppLockerLocal" query="Microsoft-Windows-AppLocker/MSI and Script!*" storeType="Local"> <Column name="TimeCreated" type="mt:utc" defaultAssignment=""> <Value>/Event/System/TimeCreated/@SystemTime</Value> </Column> <Column name="Computer" defaultAssignment=""> <Value>/Event/System/Computer</Value> </Column> <Column name="EventProvider" defaultAssignment=""> <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="EventType" type="mt:int32"> <Value>/Event/System/EventID</Value> </Column> <Column name="EventPayload" defaultAssignment=""> <Value>/Event/EventData/Data | /Event/UserData/*/*</Value> </Column> <Column name="Level" type="mt:int32" defaultAssignment="4"> <Value>/Event/System/Level</Value> </Column> </Subscription> <!-- HostIDS events --> <!-- Capture operational log events from HostIDS --> <Subscription eventName="HostIdsOperationsLogEventsLocal" query="HostIDS Operations Log!*" storeType="Local"> <Column name="TimeCreated" type="mt:utc" defaultAssignment=""> <Value>/Event/System/TimeCreated/@SystemTime</Value> </Column> <Column name="Computer" defaultAssignment=""> <Value>/Event/System/Computer</Value> </Column> <Column name="EventProvider"> <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="EventType" type="mt:int32" defaultAssignment=""> <Value>/Event/System/EventID</Value> </Column> <Column name="EventPayload" defaultAssignment=""> <Value>/Event/EventData/Data</Value> </Column> <Column name="Level" type="mt:int32" defaultAssignment="4"> <Value>/Event/System/Level</Value> </Column> </Subscription> </WindowsEventLogSubscriptions> <DerivedEvents> <!-- HostIDS events --> <!-- Filter Security event 4663 to include only certain object types --> <DerivedEvent source="HostIdsSecurityObjAccessLocal" eventName="HostIdsSecurityLocal" storeType="Local" duration="PT5M" whereToRun="Local"> <Query><![CDATA[ where RegexCount(ObjectName, "\.(ascx|ashx|asp|aspx|asmx|axd|cer|cshtm|cshtml|json|rem|rules|shtml|stm|svc|soap|vbhtml|xamlx|xoml|dll)$", "gi") >= 1 let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select TimeCreated, ReportingIdentity, AssetIdentity, Computer, EventProvider, EventType, EventPayload, ObjectName, Level, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <!-- Augment Security events with identity information and upload to MDS --> <DerivedEvent source="HostIdsSecurityLocal" eventName="AsmSec1Data" storeType="CentralBond" duration="PT5M" account="AzSecurityStore" whereToRun="Local"> <Query><![CDATA[ let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select TimeCreated, ReportingIdentity, AssetIdentity, Computer, EventProvider, EventType, EventPayload, Level, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <!-- System events --> <!-- Augment System events with identity information and upload to MDS --> <DerivedEvent source="HostIdsSystemLocal" eventName="AsmSec1Data" storeType="CentralBond" duration="PT5M" account="AzSecurityStore" whereToRun="Local"> <Query><![CDATA[ let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select TimeCreated, ReportingIdentity, AssetIdentity, Computer, EventProvider, EventType, EventPayload, Level, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <!-- AppLocker events --> <!-- Augment AppLocker events with identity information and upload to MDS --> <DerivedEvent source="HostIdsAppLockerLocal" eventName="AsmSec1Data" storeType="CentralBond" duration="PT5M" account="AzSecurityStore" whereToRun="Local"> <Query><![CDATA[ let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select TimeCreated, ReportingIdentity, AssetIdentity, Computer, EventProvider, EventType, EventPayload, Level, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <!-- HostIDS events --> <!-- Augment HostIDS events with identity information and upload to MDS --> <DerivedEvent source="HostIdsOperationsLogEventsLocal" eventName="AsmSec1Data" storeType="CentralBond" duration="PT5M" account="AzSecurityStore" whereToRun="Local"> <Query><![CDATA[ let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select TimeCreated, ReportingIdentity, AssetIdentity, Computer, EventProvider, EventType, EventPayload, Level, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> </DerivedEvents> </Events> </MonitoringManagement> |