AzStackHciStandaloneObservability/package/bin/MAWatchdog/CommonSecurityAuditEx.xml
<?xml version="1.0" encoding="utf-8"?>
<MonitoringManagement xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.0" namespace="AddOnInfra" timestamp="2014-08-18T09:09:36.7355239Z"> <Events> <WindowsEventLogSubscriptions> <!-- Network logon events <Subscription eventName="NetworkLogonEvents" query="Security!*[System[(EventID=4624)] and EventData[Data[@Name='LogonType']='3']]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription>--> <!-- CA stop/Start events CA Service Stopped (4880), CA Service Started (4881), CA DB row(s) deleted (4896), CA Template loaded (4898) --> <Subscription eventName="CAEvents" query="Security!*[System[(EventID=4880 or EventID = 4881 or EventID = 4896 or EventID = 4898)]]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- Logoff events - for Network Logon events <Subscription eventName="LogoffEvents" query="Security!*[System[(EventID=4634)] and EventData[Data[@Name='LogonType'] = '3']]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription>--> <!-- RRAS events – only generated on Microsoft IAS server --> <Subscription eventName="RrasEvents" query="Security!*[System[( (EventID >= 6272 and EventID <= 6280) )]]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- Process Terminate (4689) --> <Subscription eventName="ProcessTerminateEvents" query="Security!*[System[(EventID = 4689)]]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- Local credential authentication events (4776), Logon with explicit credentials (4648) <Subscription eventName="LocalCredAuthEvents" query="Security!*[System[(EventID=4776 or EventID=4648)]]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription>--> <!-- Registry modified events for Operations: New Registry Value created (%%1904), Existing Registry Value modified (%%1905), Registry Value Deleted (%%1906) --> <Subscription eventName="RegistryModifiedEvents" query="Security!*[System[(EventID=4657)] and (EventData[Data[@Name='OperationType'] = '%%1904'] or EventData[Data[@Name='OperationType'] = '%%1905'] or EventData[Data[@Name='OperationType'] = '%%1906'])]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- Request made to authenticate to Wireless network (including Peer MAC (5632) --> <Subscription eventName="WirelessNetworkAuthReqEvents" query="Security!*[System[(EventID=5632)]]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- A new external device was recognized by the System(6416) --> <Subscription eventName="ExternalPnpDeviceRecognizedEvents" query="Security!*[System[(EventID=6416)]]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- RADIUS authentication events User Assigned IP address (20274), User successfully authenticated (20250), User Disconnected (20275) --> <Subscription eventName="RadiusAuthEvents" query="System!*[System[Provider[@Name='RemoteAccess'] and (EventID=20274 or EventID=20250 or EventID=20275)]]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- CAPI events Build Chain (11), Private Key accessed (70), X509 object (90)--> <Subscription eventName="CapiEvents" query="Microsoft-Windows-CAPI2/Operational!*[System[(EventID=11 or EventID=70 or EventID=90)]]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- Groups assigned to new login (except for well known, built-in accounts)--> <Subscription eventName="LsaEvents" query="Microsoft-Windows-LSA/Operational!*[System[(EventID=300)] and EventData[Data[@Name='TargetUserSid'] != 'S-1-5-20'] and EventData[Data[@Name='TargetUserSid'] != 'S-1-5-18'] and EventData[Data[@Name='TargetUserSid'] != 'S-1-5-19']]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- DNS client events --> <Subscription eventName="DnsClientEvents" query="Microsoft-Windows-DNS-Client/Operational!*[System[(EventID=3008)] and EventData[Data[@Name='QueryOptions'] != '140737488355328'] and EventData[Data[@Name='QueryResults']='']]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- Detect User-Mode drivers loaded - for potential BadUSB detection. --> <Subscription eventName="UserModeDriverLoadEvents" query="Microsoft-Windows-DriverFrameworks-UserMode/Operational!*[System[(EventID=2004)]]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- Legacy PowerShell pipeline execution details (800) --> <Subscription eventName="LegacyPSEvents" query="Windows PowerShell!*[System[(EventID=800)]]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> </WindowsEventLogSubscriptions> <DerivedEvents> <DerivedEvent source="NetworkLogonEvents" duration="PT5M" eventName="AzSNetworkLogonEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="CAEvents" duration="PT5M" eventName="AzSCAEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="LogoffEvents" duration="PT5M" eventName="AzSLogoffEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="RrasEvents" duration="PT5M" eventName="AzSRrasEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="ProcessTerminateEvents" duration="PT5M" eventName="AzSProcessTerminateEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="LocalCredAuthEvents" duration="PT5M" eventName="AzSLocalCredAuthEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="RegistryModifiedEvents" duration="PT5M" eventName="AzSRegistryModifiedEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="WirelessNetworkAuthReqEvents" duration="PT5M" eventName="AzSWirelessNetworkAuthReqEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="ExternalPnpDeviceRecognizedEvents" duration="PT5M" eventName="AzSExternalPnpDeviceRecognizedEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="RadiusAuthEvents" duration="PT5M" eventName="AzSRadiusAuthEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="CapiEvents" duration="PT5M" eventName="AzSCapiEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="LsaEvents" duration="PT5M" eventName="AzSLsaEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="DnsClientEvents" duration="PT5M" eventName="AzSDnsClientEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="PowerShellEvents" duration="PT5M" eventName="AzSPowerShellEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="UserModeDriverLoadEvents" duration="PT5M" eventName="AzSUserModeDriverLoadEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="LegacyPSEvents" duration="PT5M" eventName="AzSLegacyPSEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> </DerivedEvents> </Events> </MonitoringManagement> |