Obs/bin/GMA/Monitoring/Agent/initconfig/2.0/Standard/ReservedEventsTeam1Offline-HostIds.xml
|
<?xml version="1.0" encoding="utf-8"?>
<MonitoringManagement version="1.0" timestamp="2023-06-08T00:58:42.4731192Z"> <!-- Autogenerated version comment - DO NOT REMOVE: AzSecPackShipVersion=4.27.0.4 --> <Events> <WindowsEventLogSubscriptions> <!-- Security events --> <!-- Capture all Security events that do not require further filtering, excluding unnecessary or high-volume events --> <Subscription eventName="HostIdsSecurityLocal" query="Security!*[System[(EventID!=4624) and (EventID!=4634) and (EventID!=4663) and (EventID!=4672) and (EventID!=4769) and (EventID!=5156) and (EventID!=5145) and (EventID!=5158) and (EventID!=5447) and (EventID!=33205) and (EventID!=4688)]]" storeType="Local"> <Column name="TimeCreated" type="mt:utc" defaultAssignment=""> <Value>/Event/System/TimeCreated/@SystemTime</Value> </Column> <Column name="Computer" defaultAssignment=""> <Value>/Event/System/Computer</Value> </Column> <Column name="EventProvider" defaultAssignment=""> <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="EventType" type="mt:int32" defaultAssignment="0"> <Value>/Event/System/EventID</Value> </Column> <Column name="EventPayload" defaultAssignment=""> <Value>/Event/EventData/Data | /Event/UserData/*/* | /Event/UserData/*</Value> </Column> <Column name="Level" type="mt:int32" defaultAssignment="4"> <Value>/Event/System/Level</Value> </Column> </Subscription> <Subscription eventName="HostIdsSecurityLocalProcessExecute" query="Security!*[System[(EventID=4688)]]" storeType="Local"> <Column name="TimeCreated" type="mt:utc" defaultAssignment=""> <Value>/Event/System/TimeCreated/@SystemTime</Value> </Column> <Column name="Computer" defaultAssignment=""> <Value>/Event/System/Computer</Value> </Column> <Column name="EventProvider" defaultAssignment=""> <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="EventType" type="mt:int32" defaultAssignment="0"> <Value>/Event/System/EventID</Value> </Column> <Column name="EventPayload" defaultAssignment=""> <Value>/Event/EventData/Data | /Event/UserData/*/* | /Event/UserData/*</Value> </Column> <Column name="Level" type="mt:int32" defaultAssignment="4"> <Value>/Event/System/Level</Value> </Column> </Subscription> <!-- Capture Security event 4624, excluding events with LogonType=3 --> <Subscription eventName="HostIdsSecurityLocal" query="Security!*[System[(EventID=4624)] and (EventData/Data[@Name='LogonType']!=3)]" storeType="Local"> <Column name="TimeCreated" type="mt:utc" defaultAssignment=""> <Value>/Event/System/TimeCreated/@SystemTime</Value> </Column> <Column name="Computer" defaultAssignment=""> <Value>/Event/System/Computer</Value> </Column> <Column name="EventProvider" defaultAssignment=""> <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="EventType" type="mt:int32" defaultAssignment="0"> <Value>/Event/System/EventID</Value> </Column> <Column name="EventPayload" defaultAssignment=""> <Value>/Event/EventData/Data | /Event/UserData/*/* | /Event/UserData/*</Value> </Column> <Column name="Level" type="mt:int32" defaultAssignment="4"> <Value>/Event/System/Level</Value> </Column> </Subscription> <!-- Capture Security event 4663. These events are filtered to include only certain object types in a DerivedEvent. --> <Subscription eventName="HostIdsSecurityObjAccessLocal" query="Security!*[System[(EventID=4663)]]" storeType="Local"> <Column name="TimeCreated" type="mt:utc" defaultAssignment=""> <Value>/Event/System/TimeCreated/@SystemTime</Value> </Column> <Column name="Computer" defaultAssignment=""> <Value>/Event/System/Computer</Value> </Column> <Column name="EventProvider" defaultAssignment=""> <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="EventType" type="mt:int32"> <Value>/Event/System/EventID</Value> </Column> <Column name="EventPayload" defaultAssignment=""> <Value>/Event/EventData/Data | /Event/UserData/*/* | /Event/UserData/*</Value> </Column> <Column name="ObjectName" defaultAssignment=""> <Value>/Event/EventData/Data[@Name='ObjectName']</Value> </Column> <Column name="Level" type="mt:int32" defaultAssignment="4"> <Value>/Event/System/Level</Value> </Column> </Subscription> <!-- System events --> <!-- Capture System events --> <Subscription eventName="HostIdsSystemLocal" query="System!*[System[Provider[@Name='Microsoft-Windows-Eventlog'] and (EventID=104)] or System[Provider[@Name='Service Control Manager'] and (EventID=7034 or EventID=7045)]]" storeType="Local"> <Column name="TimeCreated" type="mt:utc" defaultAssignment=""> <Value>/Event/System/TimeCreated/@SystemTime</Value> </Column> <Column name="Computer" defaultAssignment=""> <Value>/Event/System/Computer</Value> </Column> <Column name="EventProvider" defaultAssignment=""> <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="EventType" type="mt:int32"> <Value>/Event/System/EventID</Value> </Column> <Column name="EventPayload" defaultAssignment=""> <Value>/Event/EventData/Data | /Event/UserData/*/* | /Event/UserData/*</Value> </Column> <Column name="Level" type="mt:int32" defaultAssignment="4"> <Value>/Event/System/Level</Value> </Column> </Subscription> <!-- Capture Antimalware events --> <Subscription eventName="HostIdsSystemLocal" query="System!*[System[Provider[@Name='Microsoft Antimalware'] and (EventID=1116 or EventID=1117 or EventID=1118 or EventID=1119 or EventID=2001 or EventID=5007)]]" storeType="Local"> <Column name="TimeCreated" type="mt:utc" defaultAssignment=""> <Value>/Event/System/TimeCreated/@SystemTime</Value> </Column> <Column name="Computer" defaultAssignment=""> <Value>/Event/System/Computer</Value> </Column> <Column name="EventProvider" defaultAssignment=""> <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="EventType" type="mt:int32"> <Value>/Event/System/EventID</Value> </Column> <Column name="EventPayload" defaultAssignment=""> <Value>/Event/EventData/Data | /Event/UserData/*/* | /Event/UserData/*</Value> </Column> <Column name="Level" type="mt:int32" defaultAssignment="4"> <Value>/Event/System/Level</Value> </Column> </Subscription> <!-- Capture Antimalware events on Server 2016 --> <Subscription eventName="HostIdsSystemLocal" query="Microsoft-Windows-Windows Defender/Operational!*[System[(EventID=1116 or EventID=1117 or EventID=1118 or EventID=1119 or EventID=2001 or EventID=5007)]]" storeType="Local"> <Column name="TimeCreated" type="mt:utc" defaultAssignment=""> <Value>/Event/System/TimeCreated/@SystemTime</Value> </Column> <Column name="Computer" defaultAssignment=""> <Value>/Event/System/Computer</Value> </Column> <Column name="EventProvider" defaultAssignment=""> <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="EventType" type="mt:int32"> <Value>/Event/System/EventID</Value> </Column> <Column name="EventPayload" defaultAssignment=""> <Value>/Event/EventData/Data | /Event/UserData/*/*</Value> </Column> <Column name="Level" type="mt:int32" defaultAssignment="4"> <Value>/Event/System/Level</Value> </Column> </Subscription> <!-- Capture AppLocker events --> <Subscription eventName="HostIdsAppLockerLocal" query="Microsoft-Windows-AppLocker/EXE and DLL!*" storeType="Local"> <Column name="TimeCreated" type="mt:utc" defaultAssignment=""> <Value>/Event/System/TimeCreated/@SystemTime</Value> </Column> <Column name="Computer" defaultAssignment=""> <Value>/Event/System/Computer</Value> </Column> <Column name="EventProvider" defaultAssignment=""> <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="EventType" type="mt:int32"> <Value>/Event/System/EventID</Value> </Column> <Column name="EventPayload" defaultAssignment=""> <Value>/Event/EventData/Data | /Event/UserData/*/*</Value> </Column> <Column name="Level" type="mt:int32" defaultAssignment="4"> <Value>/Event/System/Level</Value> </Column> </Subscription> <Subscription eventName="HostIdsAppLockerLocal" query="Microsoft-Windows-AppLocker/MSI and Script!*" storeType="Local"> <Column name="TimeCreated" type="mt:utc" defaultAssignment=""> <Value>/Event/System/TimeCreated/@SystemTime</Value> </Column> <Column name="Computer" defaultAssignment=""> <Value>/Event/System/Computer</Value> </Column> <Column name="EventProvider" defaultAssignment=""> <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="EventType" type="mt:int32"> <Value>/Event/System/EventID</Value> </Column> <Column name="EventPayload" defaultAssignment=""> <Value>/Event/EventData/Data | /Event/UserData/*/*</Value> </Column> <Column name="Level" type="mt:int32" defaultAssignment="4"> <Value>/Event/System/Level</Value> </Column> </Subscription> <!-- HostIDS events --> <!-- Capture operational log events from HostIDS --> <Subscription eventName="HostIdsOperationsLogEventsLocal" query="HostIDS Operations Log!*" storeType="Local"> <Column name="TimeCreated" type="mt:utc" defaultAssignment=""> <Value>/Event/System/TimeCreated/@SystemTime</Value> </Column> <Column name="Computer" defaultAssignment=""> <Value>/Event/System/Computer</Value> </Column> <Column name="EventProvider"> <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="EventType" type="mt:int32" defaultAssignment=""> <Value>/Event/System/EventID</Value> </Column> <Column name="EventPayload" defaultAssignment=""> <Value>/Event/EventData/Data</Value> </Column> <Column name="Level" type="mt:int32" defaultAssignment="4"> <Value>/Event/System/Level</Value> </Column> </Subscription> </WindowsEventLogSubscriptions> <DerivedEvents> <!-- HostIDS events --> <!-- Filter Security event 4663 to include only certain object types --> <DerivedEvent source="HostIdsSecurityObjAccessLocal" eventName="HostIdsSecurityLocal" storeType="Local" duration="PT5M" whereToRun="Local"> <Query><![CDATA[ where RegexCount(ObjectName, "\.(ascx|ashx|asp|aspx|asmx|axd|cer|cshtm|cshtml|json|rem|rules|shtml|stm|svc|soap|vbhtml|xamlx|xoml|dll)$", "gi") >= 1 let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select TimeCreated, ReportingIdentity, AssetIdentity, Computer, EventProvider, EventType, EventPayload, ObjectName, Level, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <!-- Augment Security events with identity information and upload to MDS --> <DerivedEvent source="HostIdsSecurityLocal" eventName="AsmSec1Data" storeType="CentralBond" duration="PT5M" account="AzSecurityStore" whereToRun="Local"> <Query><![CDATA[ let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select TimeCreated, ReportingIdentity, AssetIdentity, Computer, EventProvider, EventType, EventPayload, Level, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <DerivedEvent source="HostIdsSecurityLocalProcessExecute" eventName="AsmSec1Data" storeType="CentralBond" duration="PT5M" account="AzSecurityStore" whereToRun="Local"> <Query><![CDATA[ let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") let redacted1 = "" let redacted2 = "" let redacted3 = "" let redacted4 = "" let redacted5 = "" let redacted6 = "" let redacted7 = "" let redacted8 = "" let redacted9 = "" let redacted10 = "" let redacted11 = "" let redacted12 = EventPayload let regexMatchExists = "" let IsFeatureDisabled = ToString(GetStaticEnvironmentVariable("AZSECPACK_DISABLED_FEATURES")) if(!IsFeatureDisabled.contains("CredRedaction")) { regexMatchExists = RegexMatch(EventPayload,"(?i)pa?s*w[^e]o?r?d?[^l]|pass|snmp|[^ ]key[^w]|(?-i)SharePointOnlineAuthenticatedContext(?i)|(?i)twilioauth|authorization[,\\[:= \"']+(basic|digest|hoba|mutual|negotiate|oauth( oauth_token=)?|bearer)|(?-i)eyJ(?i)|Credential|Secure|Secret|_Token|Refresh\\s?Token|Access\\s?Token|SAS\\s?Token|token|(?-i)PAT(?i)|Personal\\s?Access\\s?Token|Token\\s?Cache|Cache\\s?Token|bearer|-p |-pa |-pass |://[^\\s]{0,36}:|X509Certificates2?|Ansible|(?-i)MII(?i)|xox|v1\\.|(?-i)AIza(?i)|[a-f0-9]{20,}|[a-z0-9/+]{30}=|(?-i)[a-z2-7]{52}\\W(?i)|Sig=|Code=|-u"); if(regexMatchExists!=""){ redacted1=RegexSubst(EventPayload,"(?i)(TokenBrokerCookies\.exe\s.*?)eyJ.*","$1TOKEN_BROKER_COOKIE_REDACTED", "g"); redacted2=RegexSubst(redacted1,"(^|[^\w])(?:[A-Za-z0-9/\\+]{43}=|[A-Za-z0-9/\\+]{86}==|[A-Za-z2-7]{52}|[A-Za-z0-9%]{43,63}%3d)($|[^\w=])", "$1SYMM_KEY_REDACTED$2", "g"); redacted3=RegexSubst(redacted2,"(^|[^\w])(?:eyJ[A-Za-z0-9_%-]+\\.eyJ[A-Za-z0-9_%-]+\\.[A-Za-z0-9_%-]+)($|[^\w=])", "$1JWT_REDACTED$2", "g"); redacted4=RegexSubst(redacted3,"(?i)((?:sig|apiKey)[=}\\',]+)(?:[^;,&]+)","$1SAS_OR_APIKEY_REDACTED", "g"); redacted5=RegexSubst(redacted4,"(://)[^: ]+:[^@]+@","$1URI_CRED_REDACTED@", "g"); redacted6=RegexSubst(redacted5,"((?i:(?:\"?Authorization\"?:?\s?\"?)?(?:Bearer|Basic|Digest)\s))(?:\S+?)([;\"]?\s|$)", "$1HTTP_AUTH_REDACTED$2", "g"); redacted7=RegexSubst(redacted6,"(?i)((?:(?:b[^y]|[^b][^y]|[^b]y|^.?)pass(?:word)?|pwd|key|token|secret)s?\"?[\' =:+]+(?:\"|%22)?|Container(?:Up|Down)loader.exe.*?\/ST:\"?)([^\s-;,!\"#][^%\s;,!\"#]{3,})", "$1GENERAL_PASSWORD_REDACTED", "g"); redacted8=RegexSubst(redacted7,"(?i)(\W)(?:[0-9A-F]{20,31}|[0-9A-F]{33,39}|[0-9A-F]{41,})(\W)", "$1SUSPICIOUS_HEX_STRING_REDACTED$2", "g"); redacted9=RegexSubst(redacted8,"((?i:docker.*)\slogin\s.*-p(?:assword)?[\"\']?\s+)\S*", "$1DOCKER_CREDENTIALS_REDACTED", "g"); redacted10=RegexSubst(redacted9,"((?i)(?:psexec|certutil).*\s[\"\']?[-/]p\s+)\S*", "$1COMMON_UTILITY_CREDENTIALS_REDACTED", "g"); redacted11=RegexSubst(redacted10,"((?i)(?:-u(?:ser)?[=: ]+\s*\S+\s*-(?:p(?:ass|w)?(?:word)?)?[=: ]+\s*))(\S*)", "$1USER_PASSWORD_REDACTED", "g"); redacted12=RegexSubst(redacted11,"((?i)(?:curl(?:.exe)?(?:\")?\s+-u\s+\S+:))(\S+)", "$1CURL_PASSWORD_REDACTED", "g"); } } select TimeCreated, ReportingIdentity, AssetIdentity, Computer, EventProvider, EventType, redacted12 as EventPayload, Level, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <!-- System events --> <!-- Augment System events with identity information and upload to MDS --> <DerivedEvent source="HostIdsSystemLocal" eventName="AsmSec1Data" storeType="CentralBond" duration="PT5M" account="AzSecurityStore" whereToRun="Local"> <Query><![CDATA[ let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select TimeCreated, ReportingIdentity, AssetIdentity, Computer, EventProvider, EventType, EventPayload, Level, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <!-- AppLocker events --> <!-- Augment AppLocker events with identity information and upload to MDS --> <DerivedEvent source="HostIdsAppLockerLocal" eventName="AsmSec1Data" storeType="CentralBond" duration="PT5M" account="AzSecurityStore" whereToRun="Local"> <Query><![CDATA[ let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select TimeCreated, ReportingIdentity, AssetIdentity, Computer, EventProvider, EventType, EventPayload, Level, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <!-- HostIDS events --> <!-- Augment HostIDS events with identity information and upload to MDS --> <DerivedEvent source="HostIdsOperationsLogEventsLocal" eventName="AsmSec1Data" storeType="CentralBond" duration="PT5M" account="AzSecurityStore" whereToRun="Local"> <Query><![CDATA[ let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select TimeCreated, ReportingIdentity, AssetIdentity, Computer, EventProvider, EventType, EventPayload, Level, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> </DerivedEvents> </Events> </MonitoringManagement> |