Obs/bin/MAWatchdog/CommonSecurityAuditEx.xml

<?xml version="1.0" encoding="utf-8"?>
<MonitoringManagement xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.0" namespace="AddOnInfra" timestamp="2014-08-18T09:09:36.7355239Z">
  <Events>
    <WindowsEventLogSubscriptions>
      
      <!-- Network logon events
      <Subscription eventName="NetworkLogonEvents"
        query="Security!*[System[(EventID=4624)] and EventData[Data[@Name='LogonType']='3']]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>-->
      
      <!-- CA stop/Start events CA Service Stopped (4880), CA Service Started (4881), CA DB row(s) deleted (4896), CA Template loaded (4898) -->
      <Subscription eventName="CAEvents"
        query="Security!*[System[(EventID=4880 or EventID = 4881 or EventID = 4896 or EventID = 4898)]]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
      
      <!-- Logoff events - for Network Logon events
      <Subscription eventName="LogoffEvents"
        query="Security!*[System[(EventID=4634)] and EventData[Data[@Name='LogonType'] = '3']]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>-->
      
      <!-- RRAS events – only generated on Microsoft IAS server -->
      <Subscription eventName="RrasEvents"
        query="Security!*[System[( (EventID &gt;= 6272 and EventID &lt;= 6280) )]]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
      
      <!-- Process Terminate (4689) -->
      <Subscription eventName="ProcessTerminateEvents"
        query="Security!*[System[(EventID = 4689)]]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
 
      <!-- Local credential authentication events (4776), Logon with explicit credentials (4648)
      <Subscription eventName="LocalCredAuthEvents"
        query="Security!*[System[(EventID=4776 or EventID=4648)]]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>-->
 
      <!-- Registry modified events for Operations: New Registry Value created (%%1904), Existing Registry Value modified (%%1905), Registry Value Deleted (%%1906) -->
      <Subscription eventName="RegistryModifiedEvents"
        query="Security!*[System[(EventID=4657)] and (EventData[Data[@Name='OperationType'] = '%%1904'] or EventData[Data[@Name='OperationType'] = '%%1905'] or EventData[Data[@Name='OperationType'] = '%%1906'])]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
 
      <!-- Request made to authenticate to Wireless network (including Peer MAC (5632) -->
      <Subscription eventName="WirelessNetworkAuthReqEvents"
        query="Security!*[System[(EventID=5632)]]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
 
      <!-- A new external device was recognized by the System(6416) -->
      <Subscription eventName="ExternalPnpDeviceRecognizedEvents"
        query="Security!*[System[(EventID=6416)]]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
       
      <!-- RADIUS authentication events User Assigned IP address (20274), User successfully authenticated (20250), User Disconnected (20275) -->
      <Subscription eventName="RadiusAuthEvents"
        query="System!*[System[Provider[@Name='RemoteAccess'] and (EventID=20274 or EventID=20250 or EventID=20275)]]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
     
      <!-- CAPI events Build Chain (11), Private Key accessed (70), X509 object (90)-->
      <Subscription eventName="CapiEvents"
        query="Microsoft-Windows-CAPI2/Operational!*[System[(EventID=11 or EventID=70 or EventID=90)]]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
       
      <!-- Groups assigned to new login (except for well known, built-in accounts)-->
      <Subscription eventName="LsaEvents"
        query="Microsoft-Windows-LSA/Operational!*[System[(EventID=300)] and EventData[Data[@Name='TargetUserSid'] != 'S-1-5-20'] and EventData[Data[@Name='TargetUserSid'] != 'S-1-5-18'] and EventData[Data[@Name='TargetUserSid'] != 'S-1-5-19']]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
       
      <!-- DNS client events -->
      <Subscription eventName="DnsClientEvents"
          query="Microsoft-Windows-DNS-Client/Operational!*[System[(EventID=3008)] and EventData[Data[@Name='QueryOptions'] != '140737488355328'] and EventData[Data[@Name='QueryResults']='']]"
          storeType="Local"
          duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
       
      <!-- Detect User-Mode drivers loaded - for potential BadUSB detection. -->
      <Subscription eventName="UserModeDriverLoadEvents"
        query="Microsoft-Windows-DriverFrameworks-UserMode/Operational!*[System[(EventID=2004)]]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
       
      <!-- Legacy PowerShell pipeline execution details (800) -->
      <Subscription eventName="LegacyPSEvents"
        query="Windows PowerShell!*[System[(EventID=800)]]"
        storeType="Local"
        duration="PT120S"
        account="AuditStore">
                      
        <Column name="ChannelName" defaultAssignment="" >
          <Value>/Event/System/Channel</Value>
        </Column>
        <Column name="Computer" defaultAssignment="" >
          <Value>/Event/System/Computer</Value>
        </Column>
        <Column name="ActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@ActivityID</Value>
        </Column>
        <Column name="RelatedActivityId" defaultAssignment="" >
          <Value>/Event/System/Correlation/@RelatedActivityID</Value>
        </Column>
        <Column name="EventData" defaultAssignment="" >
          <Value>/Event/EventData/*</Value>
        </Column>
        <Column name="EventId" defaultAssignment="0" >
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="EventMessage" defaultAssignment="" >
          <Value>GetEventMetadata("Description")</Value>
        </Column>
        <Column name="EventRecordId" defaultAssignment="0" >
          <Value>/Event/System/EventRecordID</Value>
        </Column>
        <Column name="Pid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ProcessID</Value>
        </Column>
        <Column name="Tid" defaultAssignment="-1" >
          <Value>/Event/System/Execution/@ThreadID</Value>
        </Column>
        <Column name="Keywords" defaultAssignment="0x0000000000000000" >
          <Value>/Event/System/Keywords</Value>
        </Column>
        <Column name="KeywordName" defaultAssignment="" >
          <Value>GetEventMetadata("Keyword")</Value>
        </Column>
        <Column name="Level" defaultAssignment="0" >
          <Value>/Event/System/Level</Value>
        </Column>
        <Column name="Opcode" defaultAssignment="0" >
          <Value>/Event/System/Opcode</Value>
        </Column>
        <Column name="OpcodeName" defaultAssignment="" >
          <Value>GetEventMetadata("Opcode")</Value>
        </Column>
        <Column name="ProviderEventSourceName" defaultAssignment="" >
          <Value>/Event/System/Provider/@EventSourceName</Value>
        </Column>
        <Column name="ProviderGuid" defaultAssignment="{00000000-0000-0000-0000-000000000000}" >
          <Value>/Event/System/Provider/@Guid</Value>
        </Column>
        <Column name="ProviderName" defaultAssignment="" >
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="SecurityUserId" defaultAssignment="" >
          <Value>/Event/System/Security/@UserID</Value>
        </Column>
        <Column name="Task" defaultAssignment="0" >
          <Value>/Event/System/Task</Value>
        </Column>
        <Column name="TaskName" defaultAssignment="" >
          <Value>GetEventMetadata("Task")</Value>
        </Column>
        <Column name="UserData" defaultAssignment="" >
          <Value>/Event/UserData/*</Value>
        </Column>
        <Column name="Version" defaultAssignment="0" >
          <Value>/Event/System/Version</Value>
        </Column>
         
      </Subscription>
 
    </WindowsEventLogSubscriptions>
     
    <DerivedEvents>
     
      <DerivedEvent source="NetworkLogonEvents"
        duration="PT5M"
        eventName="AzSNetworkLogonEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
     
      <DerivedEvent source="CAEvents"
        duration="PT5M"
        eventName="AzSCAEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
      <DerivedEvent source="LogoffEvents"
        duration="PT5M"
        eventName="AzSLogoffEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
      <DerivedEvent source="RrasEvents"
        duration="PT5M"
        eventName="AzSRrasEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
 
      <DerivedEvent source="ProcessTerminateEvents"
        duration="PT5M"
        eventName="AzSProcessTerminateEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
      <DerivedEvent source="LocalCredAuthEvents"
        duration="PT5M"
        eventName="AzSLocalCredAuthEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
      <DerivedEvent source="RegistryModifiedEvents"
        duration="PT5M"
        eventName="AzSRegistryModifiedEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
      <DerivedEvent source="WirelessNetworkAuthReqEvents"
        duration="PT5M"
        eventName="AzSWirelessNetworkAuthReqEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
         
      <DerivedEvent source="ExternalPnpDeviceRecognizedEvents"
        duration="PT5M"
        eventName="AzSExternalPnpDeviceRecognizedEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
      <DerivedEvent source="RadiusAuthEvents"
        duration="PT5M"
        eventName="AzSRadiusAuthEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
     
      <DerivedEvent source="CapiEvents"
        duration="PT5M"
        eventName="AzSCapiEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
      <DerivedEvent source="LsaEvents"
        duration="PT5M"
        eventName="AzSLsaEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
      <DerivedEvent source="DnsClientEvents"
        duration="PT5M"
        eventName="AzSDnsClientEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
 
      <DerivedEvent source="PowerShellEvents"
        duration="PT5M"
        eventName="AzSPowerShellEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
      <DerivedEvent source="UserModeDriverLoadEvents"
        duration="PT5M"
        eventName="AzSUserModeDriverLoadEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
      <DerivedEvent source="LegacyPSEvents"
        duration="PT5M"
        eventName="AzSLegacyPSEvents"
        physicalName="AddOnInfraAzSSecurityEvents"
        storeType="CentralBond"
        whereToRun="Local"
        account="AuditStore" >
        <Query>
        </Query>
      </DerivedEvent>
       
    </DerivedEvents>
  </Events>
</MonitoringManagement>