AzStackHciStandaloneObservability/package/bin/MAWatchdog/CommonSecurityAudit.xml

<?xml version="1.0" encoding="utf-8"?>
<MonitoringManagement xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.0" namespace="AddOnInfra" timestamp="2014-08-18T09:09:36.7355239Z">
  <Events>
    <WindowsEventLogSubscriptions>
     
      <!-- Wireless Lan 802.1x authentication events with Peer MAC address -->
      <Subscription eventName="WirelessLanAuthEvents"
        query="Security!*[System[(EventID=5632)]]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
       
      <!-- New service (4697) -->
      <Subscription eventName="NewServiceEvents"
        query="Security!*[System[(EventID=4697)]]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
       
      <!-- TS Session reconnect (4778), TS Session disconnect (4779) -->
      <Subscription eventName="TSSessionConnectionEvents"
        query="Security!*[System[(EventID=4778 or EventID=4779)]]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
       
      <!-- Network share object access without IPC$ and Netlogon shares -->
      <Subscription eventName="NetworkShareAccessEvents"
        query="Security!*[System[(EventID=5140)] and EventData[Data[@Name='ShareName']!='\\*\IPC$'] and EventData[Data[@Name='ShareName']!='\\*\NetLogon']]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
       
      <!-- System Time Change (4616) -->
      <Subscription eventName="SystemTimeChangeEvents"
        query="Security!*[System[(EventID=4616)]]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
       
      <!-- Local logons without network or service events -->
      <Subscription eventName="LocalLogonEvents"
        query="Security!*[System[(EventID=4624)] and EventData[Data[@Name='LogonType']!='3'] and EventData[Data[@Name='LogonType']!='5']]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
       
      <!-- Security Log cleared events (1102), EventLog Service shutdown (1100)-->
      <Subscription eventName="LogClearedShutdownEvents"
        query="Security!*[System[(EventID=1102 or EventID=1100)]]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
       
      <!-- user initiated logoff -->
      <Subscription eventName="UserInitiatedLogoffEvents"
        query="Security!*[System[(EventID=4647)]]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
       
      <!-- user logoff for all non-network logon sessions-->
      <Subscription eventName="UserLogoffEvents"
        query="Security!*[System[(EventID=4634)] and EventData[Data[@Name='LogonType'] != '3']]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
       
      <!-- Service logon events if the user account isn't LocalSystem, NetworkService, LocalService -->
      <Subscription eventName="ServiceLogonEvents"
        query="Security!*[System[(EventID=4624)] and EventData[Data[@Name='LogonType']='5'] and EventData[Data[@Name='TargetUserSid'] != 'S-1-5-18'] and EventData[Data[@Name='TargetUserSid'] != 'S-1-5-19'] and EventData[Data[@Name='TargetUserSid'] != 'S-1-5-20']]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
       
      <!-- Network Share create (5142), Network Share Delete (5144) -->
      <Subscription eventName="NetworkShareCreateDeleteEvents"
        query="Security!*[System[(EventID=5142 or EventID=5144)]]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
       
      <!-- Process Create (4688) -->
      <Subscription eventName="ProcessCreateEvents"
        query="Security!*[System[EventID=4688]]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
       
      <!-- Event log service events specific to Security channel -->
      <Subscription eventName="EventLogSecurityChannelServiceEvents"
        query="Security!*[System[Provider[@Name='Microsoft-Windows-Eventlog']]]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
       
      <!-- Special Privileges (Admin-equivalent Access) assigned to new logon, excluding LocalSystem-->
      <Subscription eventName="NewLogonWithAdminAccessEvents"
        query="Security!*[System[(EventID=4672)] and EventData[Data[1] != 'S-1-5-18']]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
       
      <!-- New user added to local, global or universal security group-->
      <Subscription eventName="NewUserAddedToSecurityGroupEvents"
        query="Security!*[System[(EventID=4732 or EventID=4728 or EventID=4756)]]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
       
      <!-- User removed from local Administrators group-->
      <Subscription eventName="UserRemovedFromLocalAdminEvents"
        query="Security!*[System[(EventID=4733)] and EventData[Data[@Name='TargetUserName']='Administrators']]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
       
      <!-- Certificate Services received certificate request (4886), Approved and Certificate issued (4887), Denied request (4888) -->
      <Subscription eventName="CertificateEvents"
        query="Security!*[System[(EventID=4886 or EventID=4887 or EventID=4888)]]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
       
      <!-- New User Account Created(4720), User Account Enabled (4722), User Account Disabled (4725), User Account Deleted (4726) -->
      <Subscription eventName="UserAccountEvents"
        query="Security!*[System[(EventID=4720 or EventID=4722 or EventID=4725 or EventID=4726)]]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
      
      <!-- Anti-malware *old* events, but only detect events (cuts down noise) -->
      <Subscription eventName="AntiMalwareEvents"
        query="System!*[System[Provider[@Name='Microsoft Antimalware'] and (EventID &gt;= 1116 and EventID &lt;= 1119)]]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
       
      <!-- System startup (12 - includes OS/SP/Version) and shutdown -->
      <Subscription eventName="SystemUpDownEvents"
        query="System!*[System[Provider[@Name='Microsoft-Windows-Kernel-General'] and (EventID=12 or EventID=13)]]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
       
      <!-- Service Install (7000), service start failure (7045) -->
      <Subscription eventName="ServiceEvents"
        query="System!*[System[Provider[@Name='Service Control Manager'] and (EventID = 7000 or EventID=7045)]]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
       
      <!-- Shutdown initiate requests, with user, process and reason (if supplied) -->
      <Subscription eventName="ShutdownIniEvents"
        query="System!*[System[Provider[@Name='USER32'] and (EventID=1074)]]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
       
      <!-- Event log service events -->
      <Subscription eventName="EventLogServiceEvents"
        query="System!*[System[Provider[@Name='Microsoft-Windows-Eventlog']]]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
       
      <!-- Other Log cleared events (104)-->
      <Subscription eventName="LogClearedEvents"
        query="System!*[System[(EventID=104)]]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
 
      <!-- EMET events -->
      <Subscription eventName="EmetEvents"
        query="Application!*[System[Provider[@Name='EMET']]]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
       
      <!-- WER events for application crashes only -->
      <Subscription eventName="WerEvents"
        query="Application!*[System[Provider[@Name='Windows Error Reporting']] and EventData[Data[3]='APPCRASH']]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
       
      <!-- User logging on with Temporary profile (1511), cannot create profile, using temporary profile (1518)-->
      <Subscription eventName="TempProfileEvents"
        query="Application!*[System[Provider[@Name='Microsoft-Windows-User Profiles Service'] and (EventID=1511 or EventID=1518)]]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
       
      <!-- Application crash/hang events, similar to WER/1001. These include full path to faulting EXE/Module.-->
      <Subscription eventName="AppCrashHangEvents"
        query="Application!*[System[Provider[@Name='Application Error'] and (EventID=1000)] or System[Provider[@Name='Application Hang'] and (EventID=1002)]]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
       
      <!-- AppLocker EXE events -->
      <Subscription eventName="AppLockerExeEvents"
        query="Microsoft-Windows-AppLocker/EXE and DLL!*[UserData[RuleAndFileData[PolicyName='EXE']]]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
       
      <!-- AppLocker Script events -->
      <Subscription eventName="AppLockerScriptEvents"
        query="Microsoft-Windows-AppLocker/MSI and Script!*"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
       
      <!-- Task scheduler Task Registered (106), Task Registration Deleted (141), Task Deleted (142) -->
      <Subscription eventName="TaskSchedulerEvents"
        query="Microsoft-Windows-TaskScheduler/Operational!*[System[Provider[@Name='Microsoft-Windows-TaskScheduler'] and (EventID=106 or EventID=141 or EventID=142 )]]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
       
      <!-- AppLocker packaged (Modern UI) app execution -->
      <Subscription eventName="AppLockerExecutionEvents"
        query="Microsoft-Windows-AppLocker/Packaged app-Execution!*"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
       
      <!-- AppLocker packaged (Modern UI) app installation -->
      <Subscription eventName="AppLockerInstallationEvents"
        query="Microsoft-Windows-AppLocker/Packaged app-Deployment!*"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
       
      <!-- Log attempted TS connect to remote server -->
      <Subscription eventName="TSConnectEvents"
        query="Microsoft-Windows-TerminalServices-RDPClient/Operational!*[System[(EventID=1024)]]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
       
      <!-- Gets all Smart-card Card-Holder Verification (CHV) events (success and failure) performed on the host. -->
      <Subscription eventName="SmartCardEvents"
        query="Microsoft-Windows-SmartCard-Audit/Authentication!*"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
       
      <!-- get all UNC/mapped drive successful connection -->
      <Subscription eventName="DriveConnectEvents"
        query="Microsoft-Windows-SMBClient/Operational!*[System[(EventID=30622 or EventID=30624)]]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
       
      <!-- Modern SysMon event provider-->
      <Subscription eventName="SysMonEvents"
        query="Microsoft-Windows-Sysmon/Operational!*"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
       
      <!-- Modern Windows Defender event provider Detection events (1006-1009) and (1116-1119) -->
      <Subscription eventName="DefenderEvents"
        query="Microsoft-Windows-Windows Defender/Operational!*[System[( (EventID &gt;= 1006 and EventID &lt;= 1009) or (EventID &gt;= 1116 and EventID &lt;= 1119) )]]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
            
      <!-- Code Integrity events -->
      <Subscription eventName="CodeIntegrityEvents"
          query="Microsoft-Windows-CodeIntegrity/Operational!*[System[Provider[@Name='Microsoft-Windows-CodeIntegrity'] and (EventID=3076 or EventID=3077)]]"
          storeType="Local"
          duration="PT120S"
          account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
 
    </WindowsEventLogSubscriptions>
     
    <DerivedEvents>
     
      <DerivedEvent source="WirelessLanAuthEvents"
        duration="PT5M"
        eventName="AzSWirelessLanAuthEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
      <DerivedEvent source="NewServiceEvents"
        duration="PT5M"
        eventName="AzSNewServiceEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
 
      <DerivedEvent source="TSSessionConnectionEvents"
        duration="PT5M"
        eventName="AzSTSSessionConnectionEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
      <DerivedEvent source="NetworkShareAccessEvents"
        duration="PT5M"
        eventName="AzSNetworkShareAccessEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
      <DerivedEvent source="SystemTimeChangeEvents"
        duration="PT5M"
        eventName="AzSSystemTimeChangeEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
      <DerivedEvent source="LocalLogonEvents"
        duration="PT5M"
        eventName="AzSLocalLogonEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
 
      <DerivedEvent source="LogClearedShutdownEvents"
        duration="PT5M"
        eventName="AzSLogClearedShutdownEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
      <DerivedEvent source="UserInitiatedLogoffEvents"
        duration="PT5M"
        eventName="AzSUserInitiatedLogoffEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
      <DerivedEvent source="UserLogoffEvents"
        duration="PT5M"
        eventName="AzSUserLogoffEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
      <DerivedEvent source="ServiceLogonEvents"
        duration="PT5M"
        eventName="AzSServiceLogonEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
 
      <DerivedEvent source="NetworkShareCreateDeleteEvents"
        duration="PT5M"
        eventName="AzSNetworkShareCreateDeleteEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
      <DerivedEvent source="ProcessCreateEvents"
        duration="PT5M"
        eventName="AzSProcessCreateEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
     
      <DerivedEvent source="EventLogSecurityChannelServiceEvents"
        duration="PT5M"
        eventName="AzSEventLogSecurityChannelServiceEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
      <DerivedEvent source="NewLogonWithAdminAccessEvents"
        duration="PT5M"
        eventName="AzSNewLogonWithAdminAccessEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
 
      <DerivedEvent source="NewUserAddedToSecurityGroupEvents"
        duration="PT5M"
        eventName="AzSNewUserAddedToSecurityGroupEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
      <DerivedEvent source="UserRemovedFromLocalAdminEvents"
        duration="PT5M"
        eventName="AzSUserRemovedFromLocalAdminEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
      <DerivedEvent source="CertificateEvents"
        duration="PT5M"
        eventName="AzSCertificateEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
      <DerivedEvent source="UserAccountEvents"
        duration="PT5M"
        eventName="AzSUserAccountEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
      <DerivedEvent source="AntiMalwareEvents"
        duration="PT5M"
        eventName="AzSAntiMalwareEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
      <DerivedEvent source="SystemUpDownEvents"
        duration="PT5M"
        eventName="AzSSystemUpDownEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
      <DerivedEvent source="ServiceEvents"
        duration="PT5M"
        eventName="AzSServiceEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
      <DerivedEvent source="ShutdownIniEvents"
        duration="PT5M"
        eventName="AzSShutdownIniEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
      <DerivedEvent source="EventLogServiceEvents"
        duration="PT5M"
        eventName="AzSEventLogServiceEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
      <DerivedEvent source="LogClearedEvents"
        duration="PT5M"
        eventName="AzSLogClearedEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
 
      <DerivedEvent source="EmetEvents"
        duration="PT5M"
        eventName="AzSEmetEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
      <DerivedEvent source="WerEvents"
        duration="PT5M"
        eventName="AzSWerEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
      <DerivedEvent source="TempProfileEvents"
        duration="PT5M"
        eventName="AzSTempProfileEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
      <DerivedEvent source="AppCrashHangEvents"
        duration="PT5M"
        eventName="AzSAppCrashHangEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
      <DerivedEvent source="AppLockerExeEvents"
        duration="PT5M"
        eventName="AzSAppLockerExeEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
      <DerivedEvent source="AppLockerScriptEvents"
        duration="PT5M"
        eventName="AzSAppLockerScriptEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
      <DerivedEvent source="TaskSchedulerEvents"
        duration="PT5M"
        eventName="AzSTaskSchedulerEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
      <DerivedEvent source="AppLockerExecutionEvents"
        duration="PT5M"
        eventName="AzSAppLockerExecutionEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
      <DerivedEvent source="AppLockerInstallationEvents"
        duration="PT5M"
        eventName="AzSAppLockerInstallationEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
      <DerivedEvent source="TSConnectEvents"
        duration="PT5M"
        eventName="AzSTSConnectEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
      <DerivedEvent source="SmartCardEvents"
        duration="PT5M"
        eventName="AzSSmartCardEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
      <DerivedEvent source="DriveConnectEvents"
        duration="PT5M"
        eventName="AzSDriveConnectEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
      <DerivedEvent source="SysMonEvents"
        duration="PT5M"
        eventName="AzSSysMonEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
      <DerivedEvent source="DefenderEvents"
        duration="PT5M"
        eventName="AzSDefenderEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
             
      <DerivedEvent source="CodeIntegrityEvents"
        duration="PT5M"
        eventName="AzSCodeIntegrityEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
          <![CDATA[
            where RegexMatch(EventMessage, "load \\Device\\\w+\\Windows\\assembly\\NativeImages") == "" &&
                  RegexMatch(EventMessage, "load \\Device\\\w+\\Windows\\Microsoft.NET\\assembly\\GAC_\d+\\MSBuild\\.*\\MSBuild.exe") == ""
          ]]>
        </Query>
      </DerivedEvent>
       
    </DerivedEvents>
  </Events>
</MonitoringManagement>