forked from fib0nacci/WindowsLogging
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathDomainControllers.XML
78 lines (66 loc) · 3.82 KB
/
DomainControllers.XML
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
<SubscriptionId>DomainControllerWEC</SubscriptionId>
<SubscriptionType>SourceInitiated</SubscriptionType>
<Description>events from Domain Controllers</Description>
<Enabled>true</Enabled>
<Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
<ConfigurationMode>MinLatency</ConfigurationMode>
<Query>
<![CDATA[
<QueryList>
<Query Id="0" Path="Security">
<!-- All Security events-->
<Select Path="Security">*[System[(EventID!=5156)]]</Select>
</Query>
<Query Id="1" Path="Microsoft-Windows-WinRM/Operational">
<!--REmote operational logs-->
<Select>*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5)]]</Select>
</Query>
<Query Id="2" Path="Microsoft-Windows-PowerShell/Operational">
<!-- PowerShell execute block activity (4103), Remote Command(4104), Start Command(4105), Stop Command(4106) -->
<Select Path="Microsoft-Windows-PowerShell/Operational">*[System[(EventID=4103 or EventId=4104 or EventId=4105 or EventId=4106)]]</Select>
</Query>
<Query Id="3" Path="Windows PowerShell">
<!-- Legacy PowerShell pipeline execution details (800) -->
<Select Path="Windows PowerShell">*[System[(EventID=800)]]</Select>
</Query>
<Query Id="4" Path="System">
<!-- Shutdown initiate requests, with user, process and reason (if supplied) -->
<Select Path="System">*[System[Provider[@Name='USER32'] and (EventID=1074)]]</Select>
</Query>
<Query Id="5" Path="System">
<!-- Event log service events -->
<Select Path="System">*[System[Provider[@Name='Microsoft-Windows-Eventlog']]]</Select>
</Query>
<Query Id="6" Path="Microsoft-Windows-TaskScheduler/Operational">
<!-- Task scheduler Task Registered (106), Task Registration Deleted (141), Task Deleted (142) -->
<Select Path="Microsoft-Windows-TaskScheduler/Operational">*[System[Provider[@Name='Microsoft-Windows-TaskScheduler'] and (EventID=106 or EventID=141 or EventID=142 )]]</Select>
<Select Path="System">*[System[Provider[@Name='Microsoft-Windows-TaskScheduler'] and (EventID=106 or EventID=141 or EventID=142 )]]</Select>
</Query>
<Query Id="7" Path="System">
<!-- System startup (12 - includes OS/SP/Version) and shutdown -->
<Select Path="System">*[System[Provider[@Name='Microsoft-Windows-Kernel-General'] and (EventID=12 or EventID=13)]]</Select>
</Query>
<Query Id="8" Path="System">
<!-- Service Install (7000), service start failure (7045), new service (4697) -->
<Select Path="System">*[System[Provider[@Name='Service Control Manager'] and (EventID = 7000 or EventID=7045)]]</Select>
</Query>
<Query Id="9" Path="Microsoft-Windows-TerminalServices-RDPClient/Operational">
<!-- Log attempted TS connect to remote server -->
<Select Path="Microsoft-Windows-TerminalServices-RDPClient/Operational">*[System[(EventID=1024)]]</Select>
</Query>
<Query Id="10" Path="Microsoft-Windows-SMBClient/Operational">
<!-- get all UNC/mapped drive successful connection -->
<Select Path="Microsoft-Windows-SMBClient/Operational">*[System[(EventID=30622 or EventID=30624)]]</Select>
</Query>
</QueryList>
]]>
</Query>
<ReadExistingEvents>true</ReadExistingEvents>
<TransportName>HTTP</TransportName>
<ContentFormat>RenderedText</ContentFormat>
<Locale Language="en-US"/>
<LogFile>ForwardedEvents</LogFile>
<AllowedSourceNonDomainComputers></AllowedSourceNonDomainComputers>
<AllowedSourceDomainComputers>O:NSG:NSD:(A;;GA;;;DD)</AllowedSourceDomainComputers>
</Subscription>