-
Notifications
You must be signed in to change notification settings - Fork 33
/
coreevents.xml
59 lines (51 loc) · 2.13 KB
/
coreevents.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
<?xml version="1.0" encoding="UTF-8"?>
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
<SubscriptionId>CoreEvents</SubscriptionId>
<SubscriptionType>SourceInitiated</SubscriptionType>
<Description>CoreEvents</Description>
<Enabled>true</Enabled>
<Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
<ConfigurationMode>Custom</ConfigurationMode>
<Delivery Mode="Push">
<Batching>
<MaxLatencyTime>1000</MaxLatencyTime>
</Batching>
<PushSettings>
<Heartbeat Interval="60000"/>
</PushSettings>
</Delivery>
<Query>
<![CDATA[
<QueryList>
<!-- event for new local account created-->
<Query Id="0">
<Select Path="Security">*[System[(EventID=4720)]]</Select>
</Query>
<!-- Security Event Log cleared-->
<Query Id="1">
<Select Path="Security">*[System[(EventID=1102)]]</Select>
</Query>
<!-- New Service Installed-->
<Query Id="2">
<Select Path="System">*[System[(EventID=7045)]]</Select>
</Query>
<!--Scheduled Task Registered-->
<Query Id="3"><Select Path="Microsoft-Windows-TaskScheduler/Operational">*[System[(EventID=106)]]</Select>
</Query>
<!--Scheduled Task Executed-->
<Query Id="4"><Select Path="Microsoft-Windows-TaskScheduler/Operational">*[System[(EventID=200)]]</Select>
</Query>
</QueryList>
]]>
</Query>
<ReadExistingEvents>true</ReadExistingEvents>
<TransportName>HTTP</TransportName>
<ContentFormat>RenderedText</ContentFormat>
<Locale Language="en-US"/>
<LogFile>ForwardedEvents</LogFile>
<PublisherName>Microsoft-Windows-EventCollector</PublisherName>
<AllowedSourceNonDomainComputers></AllowedSourceNonDomainComputers>
<!-- if you have multiple domains, you will need to get the identifiers of all the domains connecting to your Event Collector and put them below. the easiest way is just to make a new subscription from the GUI and export it, then cut and paste that field in.
The SDDL below is just the well known identifiers for "Domain Users" and "Domain Computers" -->
<AllowedSourceDomainComputers>O:NSG:BAD:P(A;;GA;;;DC)(A;;GA;;;DD)S:</AllowedSourceDomainComputers>
</Subscription>