Obs/bin/MAWatchdog/CommonSecurityAudit.xml
|
<?xml version="1.0" encoding="utf-8"?>
<MonitoringManagement xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.0" namespace="AddOnInfra" timestamp="2014-08-18T09:09:36.7355239Z"> <Events> <WindowsEventLogSubscriptions> <!-- Wireless Lan 802.1x authentication events with Peer MAC address --> <Subscription eventName="WirelessLanAuthEvents" query="Security!*[System[(EventID=5632)]]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- New service (4697) --> <Subscription eventName="NewServiceEvents" query="Security!*[System[(EventID=4697)]]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- TS Session reconnect (4778), TS Session disconnect (4779) --> <Subscription eventName="TSSessionConnectionEvents" query="Security!*[System[(EventID=4778 or EventID=4779)]]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- Network share object access without IPC$ and Netlogon shares --> <Subscription eventName="NetworkShareAccessEvents" query="Security!*[System[(EventID=5140)] and EventData[Data[@Name='ShareName']!='\\*\IPC$'] and EventData[Data[@Name='ShareName']!='\\*\NetLogon']]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- System Time Change (4616) --> <Subscription eventName="SystemTimeChangeEvents" query="Security!*[System[(EventID=4616)]]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- Local logons without network or service events --> <Subscription eventName="LocalLogonEvents" query="Security!*[System[(EventID=4624)] and EventData[Data[@Name='LogonType']!='3'] and EventData[Data[@Name='LogonType']!='5']]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- Security Log cleared events (1102), EventLog Service shutdown (1100)--> <Subscription eventName="LogClearedShutdownEvents" query="Security!*[System[(EventID=1102 or EventID=1100)]]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- user initiated logoff --> <Subscription eventName="UserInitiatedLogoffEvents" query="Security!*[System[(EventID=4647)]]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- user logoff for all non-network logon sessions--> <Subscription eventName="UserLogoffEvents" query="Security!*[System[(EventID=4634)] and EventData[Data[@Name='LogonType'] != '3']]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- Service logon events if the user account isn't LocalSystem, NetworkService, LocalService --> <Subscription eventName="ServiceLogonEvents" query="Security!*[System[(EventID=4624)] and EventData[Data[@Name='LogonType']='5'] and EventData[Data[@Name='TargetUserSid'] != 'S-1-5-18'] and EventData[Data[@Name='TargetUserSid'] != 'S-1-5-19'] and EventData[Data[@Name='TargetUserSid'] != 'S-1-5-20']]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- Network Share create (5142), Network Share Delete (5144) --> <Subscription eventName="NetworkShareCreateDeleteEvents" query="Security!*[System[(EventID=5142 or EventID=5144)]]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- Process Create (4688) --> <Subscription eventName="ProcessCreateEvents" query="Security!*[System[EventID=4688]]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- Event log service events specific to Security channel --> <Subscription eventName="EventLogSecurityChannelServiceEvents" query="Security!*[System[Provider[@Name='Microsoft-Windows-Eventlog']]]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- Special Privileges (Admin-equivalent Access) assigned to new logon, excluding LocalSystem--> <Subscription eventName="NewLogonWithAdminAccessEvents" query="Security!*[System[(EventID=4672)] and EventData[Data[1] != 'S-1-5-18']]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- New user added to local, global or universal security group--> <Subscription eventName="NewUserAddedToSecurityGroupEvents" query="Security!*[System[(EventID=4732 or EventID=4728 or EventID=4756)]]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- User removed from local Administrators group--> <Subscription eventName="UserRemovedFromLocalAdminEvents" query="Security!*[System[(EventID=4733)] and EventData[Data[@Name='TargetUserName']='Administrators']]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- Certificate Services received certificate request (4886), Approved and Certificate issued (4887), Denied request (4888) --> <Subscription eventName="CertificateEvents" query="Security!*[System[(EventID=4886 or EventID=4887 or EventID=4888)]]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- New User Account Created(4720), User Account Enabled (4722), User Account Disabled (4725), User Account Deleted (4726) --> <Subscription eventName="UserAccountEvents" query="Security!*[System[(EventID=4720 or EventID=4722 or EventID=4725 or EventID=4726)]]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- Anti-malware *old* events, but only detect events (cuts down noise) --> <Subscription eventName="AntiMalwareEvents" query="System!*[System[Provider[@Name='Microsoft Antimalware'] and (EventID >= 1116 and EventID <= 1119)]]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- System startup (12 - includes OS/SP/Version) and shutdown --> <Subscription eventName="SystemUpDownEvents" query="System!*[System[Provider[@Name='Microsoft-Windows-Kernel-General'] and (EventID=12 or EventID=13)]]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- Service Install (7000), service start failure (7045) --> <Subscription eventName="ServiceEvents" query="System!*[System[Provider[@Name='Service Control Manager'] and (EventID = 7000 or EventID=7045)]]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- Shutdown initiate requests, with user, process and reason (if supplied) --> <Subscription eventName="ShutdownIniEvents" query="System!*[System[Provider[@Name='USER32'] and (EventID=1074)]]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- Event log service events --> <Subscription eventName="EventLogServiceEvents" query="System!*[System[Provider[@Name='Microsoft-Windows-Eventlog']]]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- Other Log cleared events (104)--> <Subscription eventName="LogClearedEvents" query="System!*[System[(EventID=104)]]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- EMET events --> <Subscription eventName="EmetEvents" query="Application!*[System[Provider[@Name='EMET']]]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- WER events for application crashes only --> <Subscription eventName="WerEvents" query="Application!*[System[Provider[@Name='Windows Error Reporting']] and EventData[Data[3]='APPCRASH']]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- User logging on with Temporary profile (1511), cannot create profile, using temporary profile (1518)--> <Subscription eventName="TempProfileEvents" query="Application!*[System[Provider[@Name='Microsoft-Windows-User Profiles Service'] and (EventID=1511 or EventID=1518)]]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- Application crash/hang events, similar to WER/1001. These include full path to faulting EXE/Module.--> <Subscription eventName="AppCrashHangEvents" query="Application!*[System[Provider[@Name='Application Error'] and (EventID=1000)] or System[Provider[@Name='Application Hang'] and (EventID=1002)]]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- AppLocker EXE events --> <Subscription eventName="AppLockerExeEvents" query="Microsoft-Windows-AppLocker/EXE and DLL!*[UserData[RuleAndFileData[PolicyName='EXE']]]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- AppLocker Script events --> <Subscription eventName="AppLockerScriptEvents" query="Microsoft-Windows-AppLocker/MSI and Script!*" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- Task scheduler Task Registered (106), Task Registration Deleted (141), Task Deleted (142) --> <Subscription eventName="TaskSchedulerEvents" query="Microsoft-Windows-TaskScheduler/Operational!*[System[Provider[@Name='Microsoft-Windows-TaskScheduler'] and (EventID=106 or EventID=141 or EventID=142 )]]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- AppLocker packaged (Modern UI) app execution --> <Subscription eventName="AppLockerExecutionEvents" query="Microsoft-Windows-AppLocker/Packaged app-Execution!*" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- AppLocker packaged (Modern UI) app installation --> <Subscription eventName="AppLockerInstallationEvents" query="Microsoft-Windows-AppLocker/Packaged app-Deployment!*" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- Log attempted TS connect to remote server --> <Subscription eventName="TSConnectEvents" query="Microsoft-Windows-TerminalServices-RDPClient/Operational!*[System[(EventID=1024)]]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- Gets all Smart-card Card-Holder Verification (CHV) events (success and failure) performed on the host. --> <Subscription eventName="SmartCardEvents" query="Microsoft-Windows-SmartCard-Audit/Authentication!*" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- get all UNC/mapped drive successful connection --> <Subscription eventName="DriveConnectEvents" query="Microsoft-Windows-SMBClient/Operational!*[System[(EventID=30622 or EventID=30624)]]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- Modern SysMon event provider--> <Subscription eventName="SysMonEvents" query="Microsoft-Windows-Sysmon/Operational!*" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- Modern Windows Defender event provider Detection events (1006-1009) and (1116-1119) --> <Subscription eventName="DefenderEvents" query="Microsoft-Windows-Windows Defender/Operational!*[System[( (EventID >= 1006 and EventID <= 1009) or (EventID >= 1116 and EventID <= 1119) )]]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> <!-- Code Integrity events --> <Subscription eventName="CodeIntegrityEvents" query="Microsoft-Windows-CodeIntegrity/Operational!*[System[Provider[@Name='Microsoft-Windows-CodeIntegrity'] and (EventID=3076 or EventID=3077)]]" storeType="Local" duration="PT120S" account="AuditStore"> <Column name="ChannelName" defaultAssignment="" > <Value>/Event/System/Channel</Value> </Column> <Column name="Computer" defaultAssignment="" > <Value>/Event/System/Computer</Value> </Column> <Column name="ActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@ActivityID</Value> </Column> <Column name="RelatedActivityId" defaultAssignment="" > <Value>/Event/System/Correlation/@RelatedActivityID</Value> </Column> <Column name="EventData" defaultAssignment="" > <Value>/Event/EventData/*</Value> </Column> <Column name="EventId" defaultAssignment="0" > <Value>/Event/System/EventID</Value> </Column> <Column name="EventMessage" defaultAssignment="" > <Value>GetEventMetadata("Description")</Value> </Column> <Column name="EventRecordId" defaultAssignment="0" > <Value>/Event/System/EventRecordID</Value> </Column> <Column name="Pid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ProcessID</Value> </Column> <Column name="Tid" defaultAssignment="-1" > <Value>/Event/System/Execution/@ThreadID</Value> </Column> <Column name="Keywords" defaultAssignment="0x0000000000000000" > <Value>/Event/System/Keywords</Value> </Column> <Column name="KeywordName" defaultAssignment="" > <Value>GetEventMetadata("Keyword")</Value> </Column> <Column name="Level" defaultAssignment="0" > <Value>/Event/System/Level</Value> </Column> <Column name="Opcode" defaultAssignment="0" > <Value>/Event/System/Opcode</Value> </Column> <Column name="OpcodeName" defaultAssignment="" > <Value>GetEventMetadata("Opcode")</Value> </Column> <Column name="ProviderEventSourceName" defaultAssignment="" > <Value>/Event/System/Provider/@EventSourceName</Value> </Column> <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" > <Value>/Event/System/Provider/@Guid</Value> </Column> <Column name="ProviderName" defaultAssignment="" > <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="SecurityUserId" defaultAssignment="" > <Value>/Event/System/Security/@UserID</Value> </Column> <Column name="Task" defaultAssignment="0" > <Value>/Event/System/Task</Value> </Column> <Column name="TaskName" defaultAssignment="" > <Value>GetEventMetadata("Task")</Value> </Column> <Column name="UserData" defaultAssignment="" > <Value>/Event/UserData/*</Value> </Column> <Column name="Version" defaultAssignment="0" > <Value>/Event/System/Version</Value> </Column> </Subscription> </WindowsEventLogSubscriptions> <DerivedEvents> <DerivedEvent source="WirelessLanAuthEvents" duration="PT5M" eventName="AzSWirelessLanAuthEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="NewServiceEvents" duration="PT5M" eventName="AzSNewServiceEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="TSSessionConnectionEvents" duration="PT5M" eventName="AzSTSSessionConnectionEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="NetworkShareAccessEvents" duration="PT5M" eventName="AzSNetworkShareAccessEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="SystemTimeChangeEvents" duration="PT5M" eventName="AzSSystemTimeChangeEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="LocalLogonEvents" duration="PT5M" eventName="AzSLocalLogonEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="LogClearedShutdownEvents" duration="PT5M" eventName="AzSLogClearedShutdownEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="UserInitiatedLogoffEvents" duration="PT5M" eventName="AzSUserInitiatedLogoffEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="UserLogoffEvents" duration="PT5M" eventName="AzSUserLogoffEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="ServiceLogonEvents" duration="PT5M" eventName="AzSServiceLogonEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="NetworkShareCreateDeleteEvents" duration="PT5M" eventName="AzSNetworkShareCreateDeleteEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="ProcessCreateEvents" duration="PT5M" eventName="AzSProcessCreateEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="EventLogSecurityChannelServiceEvents" duration="PT5M" eventName="AzSEventLogSecurityChannelServiceEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="NewLogonWithAdminAccessEvents" duration="PT5M" eventName="AzSNewLogonWithAdminAccessEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="NewUserAddedToSecurityGroupEvents" duration="PT5M" eventName="AzSNewUserAddedToSecurityGroupEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="UserRemovedFromLocalAdminEvents" duration="PT5M" eventName="AzSUserRemovedFromLocalAdminEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="CertificateEvents" duration="PT5M" eventName="AzSCertificateEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="UserAccountEvents" duration="PT5M" eventName="AzSUserAccountEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="AntiMalwareEvents" duration="PT5M" eventName="AzSAntiMalwareEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="SystemUpDownEvents" duration="PT5M" eventName="AzSSystemUpDownEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="ServiceEvents" duration="PT5M" eventName="AzSServiceEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="ShutdownIniEvents" duration="PT5M" eventName="AzSShutdownIniEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="EventLogServiceEvents" duration="PT5M" eventName="AzSEventLogServiceEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="LogClearedEvents" duration="PT5M" eventName="AzSLogClearedEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="EmetEvents" duration="PT5M" eventName="AzSEmetEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="WerEvents" duration="PT5M" eventName="AzSWerEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="TempProfileEvents" duration="PT5M" eventName="AzSTempProfileEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="AppCrashHangEvents" duration="PT5M" eventName="AzSAppCrashHangEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="AppLockerExeEvents" duration="PT5M" eventName="AzSAppLockerExeEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="AppLockerScriptEvents" duration="PT5M" eventName="AzSAppLockerScriptEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="TaskSchedulerEvents" duration="PT5M" eventName="AzSTaskSchedulerEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="AppLockerExecutionEvents" duration="PT5M" eventName="AzSAppLockerExecutionEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="AppLockerInstallationEvents" duration="PT5M" eventName="AzSAppLockerInstallationEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="TSConnectEvents" duration="PT5M" eventName="AzSTSConnectEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="SmartCardEvents" duration="PT5M" eventName="AzSSmartCardEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="DriveConnectEvents" duration="PT5M" eventName="AzSDriveConnectEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="SysMonEvents" duration="PT5M" eventName="AzSSysMonEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="DefenderEvents" duration="PT5M" eventName="AzSDefenderEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> </Query> </DerivedEvent> <DerivedEvent source="CodeIntegrityEvents" duration="PT5M" eventName="AzSCodeIntegrityEvents" physicalName="AddOnInfraAzSSecurityEvents" storeType="CentralBond" whereToRun="Local" account="AuditStore" > <Query> <![CDATA[ where RegexMatch(EventMessage, "load \\Device\\\w+\\Windows\\assembly\\NativeImages") == "" && RegexMatch(EventMessage, "load \\Device\\\w+\\Windows\\Microsoft.NET\\assembly\\GAC_\d+\\MSBuild\\.*\\MSBuild.exe") == "" ]]> </Query> </DerivedEvent> </DerivedEvents> </Events> </MonitoringManagement> |