forked from nsacyber/Event-Forwarding-Guidance
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathLSA Protection.xml
More file actions
50 lines (46 loc) · 1.76 KB
/
LSA Protection.xml
File metadata and controls
50 lines (46 loc) · 1.76 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
<?xml version="1.0" encoding="UTF-8"?>
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
<SubscriptionId>Additional LSA Protection</SubscriptionId>
<SubscriptionType>SourceInitiated</SubscriptionType>
<Description>Events for additional LSA protection issues</Description>
<Enabled>false</Enabled>
<Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
<ConfigurationMode>Custom</ConfigurationMode>
<Delivery Mode="Push">
<Batching>
<MaxItems>1</MaxItems>
<MaxLatencyTime>1000</MaxLatencyTime>
</Batching>
<PushSettings>
<Heartbeat Interval="40000"/>
</PushSettings>
</Delivery>
<Query>
<![CDATA[
<QueryList>
<Query Id="0" Path="Microsoft-Windows-Wininit/Diagnostic">
<!-- Code Integrity events -->
<Select Path="Microsoft-Windows-CodeIntegrity/Operational">
*[System[Provider[@Name='Microsoft-Windows-CodeIntegrity']
and (EventID=3033 or EventID=3063 or EventID=3065 or EventID=3066)]]
</Select>
</Query>
<Query Id="1" Path="System">
<!-- Process startup events -->
<Select Path="System">
*[System[Provider[@Name='Microsoft-Windows-Wininit']
and (EventID=12)]]
</Select>
</Query>
</QueryList>
]]>
</Query>
<ReadExistingEvents>true</ReadExistingEvents>
<TransportName>HTTP</TransportName>
<ContentFormat>RenderedText</ContentFormat>
<Locale Language="en-AU"/>
<LogFile>ForwardedEvents</LogFile>
<PublisherName>Microsoft-Windows-EventCollector</PublisherName>
<AllowedSourceNonDomainComputers></AllowedSourceNonDomainComputers>
<AllowedSourceDomainComputers>O:NSG:BAD:P(A;;GA;;;DC)S:</AllowedSourceDomainComputers>
</Subscription>