Obs/bin/GMA/Monitoring/Agent/initconfig/2.0/Standard/AzSecMdsSystemEventsOffline_AsmSysCmd_Powershell-Content.xml
|
<?xml version="1.0" encoding="utf-8"?>
<MonitoringManagement version="1.0" timestamp="2023-06-08T00:58:42.4731192Z"> <!-- Autogenerated version comment - DO NOT REMOVE: AzSecPackShipVersion=4.27.0.4 --> <!-- Standard security events collected for various reporting and alerting purposes including: - security monitoring - evidence for compliance reporting - vulnerability analysis All MDS tables declared in this file use one of the following MDS account aliases that must be declared in the service's main MDS configuration. This enables uploading different classes of data to different storage accounts, but is not required. The aliases provide a logical storage account mapping that can all write to a single account or to separate accounts depending on how the services chooses to secure its data. The aliases here are: AuditStore - associated with tables that may include events with PII AzSecurityStore - associated with all other security monitoring tables that do not contain PII Decided to only use AuditStore for events written to AsmSysSecurity table to avoid edge case confusion. --> <Events> <WindowsEventLogSubscriptions> <!--Add PowerShell Events 4103 (execute remote command) & 40962 (Console ready). 4/7/2016 This is to enable security monitoring to look for unexpected activities. Did not inlcude Event 800, to avoid duplication in certain legacy environments. Added ThreadID. It was missed in the earlier version and exists in the event log. 4/18/2016 Added Events 4104-4106 for SCUBA detections. 4/27/2016 --> <Subscription eventName="AsmSysCmdLocal" query="Microsoft-Windows-PowerShell/Operational!*[System[(EventID=4105) or (EventID=4106) or (EventID=40962)]]" storeType="Local"> <Column name="EventProvider"> <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="EventType"> <Value>/Event/System/EventID</Value> </Column> <Column name="TimeCreated"> <Value>/Event/System/TimeCreated/@SystemTime</Value> </Column> <Column name="EventPayload" defaultAssignment=""> <Value>/Event/EventData/Data</Value> </Column> </Subscription> </WindowsEventLogSubscriptions> <!--Derived Events to tag the Security Events with Azure Identity--> <DerivedEvents> <DerivedEvent source="AsmSysCmdLocal" eventName="AsmSysCmd" storeType="CentralBond" duration="PT10S" priority="Low" retryTimeout="PT5M" account="AzSecurityStore" retentionInDays="30"> <Query><![CDATA[ let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") let EventPayload = Concat("", "!!", EventPayload) select ReportingIdentity, AssetIdentity, EventProvider, EventType, TimeCreated, EventPayload, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> </DerivedEvents> </Events> </MonitoringManagement> |