Merge pull request #5 from russelltomkins/Development

1.3 Updates
russelltomkins · May 8, 2017 · 02b252c · 02b252c
2 parents 64a2526 + 04f5240
commit 02b252c
Showing 1 changed file with 14 additions and 10 deletions.
diff --git a/DCEvents.csv b/DCEvents.csv
@@ -1,13 +1,13 @@
 ProviderSymbol,ProviderName,ProviderGUID,ChannelSymbol,ChannelName,QueryPath,Query,TargetGroup
-DC_AL_CVF_EVENTS,Domain Controllers-Account Logon-Failure,{57EE544A-1408-4D96-80D2-C9E0F8DA51F2},DC_AL_CVF_DISABLEDEXPIREDLOCKEDOUT,Domain Controllers-Account Logon-Failure/Account Logon Failure Disabled Expired Locked Out,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4768)]] and *[EventData[Data[@Name='Status']='0x12']]</Select><Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4771)]] and *[EventData[Data[@Name='Status']='0x12']]</Select><Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4776)]] and *[EventData[Data[@Name='Status']='0xC0000072']]</Select><Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4776)]] and *[EventData[Data[@Name='Status']='0xC0000234']]</Select><Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4776)]] and *[EventData[Data[@Name='Status']='0xc0000193']]</Select><Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4776)]] and *[EventData[Data[@Name='Status']='0xC000006F']]</Select>",Domain Controllers
-DC_AL_CVF_EVENTS,Domain Controllers-Account Logon-Failure,{57EE544A-1408-4D96-80D2-C9E0F8DA51F2},DC_AL_CVF_INVALIDPASSWORD,Domain Controllers-Account Logon-Failure/Account Logon Failure Invalid Password,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4771)]] and *[EventData[Data[@Name='Status']='0x18']]</Select><Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4776)]] and *[EventData[Data[@Name='Status']='0xC000006A']]</Select>",Domain Controllers
-DC_AL_CVF_EVENTS,Domain Controllers-Account Logon-Failure,{57EE544A-1408-4D96-80D2-C9E0F8DA51F2},DC_AL_CVF_INVALIDUSER,Domain Controllers-Account Logon-Failure/Account Logon Failure Invalid Username,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4768)]] and *[EventData[Data[@Name='Status']='0x6']]</Select><Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4776)]] and *[EventData[Data[@Name='Status']='0xC0000064']]</Select>",Domain Controllers
-DC_AL_CVF_EVENTS,Domain Controllers-Account Logon-Failure,{57EE544A-1408-4D96-80D2-C9E0F8DA51F2},DC_AL_CVF_PASSWORDEXPIRED,Domain Controllers-Account Logon-Failure/Account Logon Failure Password Expired,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4768)]] and *[EventData[Data[@Name='Status']='0x17']]</Select><Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4776)]] and *[EventData[Data[@Name='Status']='0xC0000071']]</Select>",Domain Controllers
-DC_AL_CVF_EVENTS,Domain Controllers-Account Logon-Failure,{57EE544A-1408-4D96-80D2-C9E0F8DA51F2},DC_AL_CVF_RESTRICTIONS,Domain Controllers-Account Logon-Failure/Account Logon Failure Workstation Restrictions,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4768)]] and *[EventData[Data[@Name='Status']='0xC']]</Select><Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4776)]] and *[EventData[Data[@Name='Status']='0xC0000070']]</Select>",Domain Controllers
-DC_AL_CVF_EVENTS,Domain Controllers-Account Logon-Failure,{57EE544A-1408-4D96-80D2-C9E0F8DA51F2},DC_AL_CVF_TGS,Domain Controllers-Account Logon-Failure/Account Logon Failure Kerberos TGS Failure,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4769)]]</Select><Suppress Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4769)]] and *[EventData[Data[@Name='Status']='0x0']]</Suppress>",Domain Controllers
-DC_AL_CVS_EVENTS,Domain Controllers-Account Logon-Successful,{23A75316-1AE6-4B6C-9417-C3C7DD6BB730},DC_AL_CVS_CV,Domain Controllers-Account Logon-Successful/Account Logon Success Credential Validation,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4776)]] and *[EventData[Data[@Name='Status']='0x0']]</Select>",Domain Controllers
-DC_AL_CVS_EVENTS,Domain Controllers-Account Logon-Successful,{23A75316-1AE6-4B6C-9417-C3C7DD6BB730},DC_AL_CVS_AS, Domain Controllers-Account Logon-Successful/Account Logon Success Kerberos AS,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4768)]] and *[EventData[Data[@Name='Status']='0x0']]</Select>",Domain Controllers
-DC_AL_CVS_EVENTS,Domain Controllers-Account Logon-Successful,{23A75316-1AE6-4B6C-9417-C3C7DD6BB730},DC_AL_CVS_TGS,Domain Controllers-Account Logon-Successful/Account Logon Success Kerberos TGS,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4769)]] and *[EventData[Data[@Name='Status']='0x0']]</Select>",Domain Controllers
+DC_AL_LF_EVENTS,Domain Controllers-Account Logon-Failure,{57EE544A-1408-4D96-80D2-C9E0F8DA51F2},DC_AL_LF_DISABLEDEXPIREDLOCKEDOUT,Domain Controllers-Account Logon-Failure/Account Logon Failure Disabled Expired Locked Out,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4768)]] and *[EventData[Data[@Name='Status']='0x12']]</Select><Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4771)]] and *[EventData[Data[@Name='Status']='0x12']]</Select><Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4776)]] and *[EventData[Data[@Name='Status']='0xC0000072']]</Select><Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4776)]] and *[EventData[Data[@Name='Status']='0xC0000234']]</Select><Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4776)]] and *[EventData[Data[@Name='Status']='0xc0000193']]</Select><Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4776)]] and *[EventData[Data[@Name='Status']='0xC000006F']]</Select>",Domain Controllers
+DC_AL_LF_EVENTS,Domain Controllers-Account Logon-Failure,{57EE544A-1408-4D96-80D2-C9E0F8DA51F2},DC_AL_LF_INVALIDPASSWORD,Domain Controllers-Account Logon-Failure/Account Logon Failure Invalid Password,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4771)]] and *[EventData[Data[@Name='Status']='0x18']]</Select><Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4776)]] and *[EventData[Data[@Name='Status']='0xC000006A']]</Select>",Domain Controllers
+DC_AL_LF_EVENTS,Domain Controllers-Account Logon-Failure,{57EE544A-1408-4D96-80D2-C9E0F8DA51F2},DC_AL_LF_INVALIDUSER,Domain Controllers-Account Logon-Failure/Account Logon Failure Invalid Username,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4768)]] and *[EventData[Data[@Name='Status']='0x6']]</Select><Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4776)]] and *[EventData[Data[@Name='Status']='0xC0000064']]</Select>",Domain Controllers
+DC_AL_LF_EVENTS,Domain Controllers-Account Logon-Failure,{57EE544A-1408-4D96-80D2-C9E0F8DA51F2},DC_AL_LF_PASSWORDEXPIRED,Domain Controllers-Account Logon-Failure/Account Logon Failure Password Expired,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4768)]] and *[EventData[Data[@Name='Status']='0x17']]</Select><Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4776)]] and *[EventData[Data[@Name='Status']='0xC0000071']]</Select>",Domain Controllers
+DC_AL_LF_EVENTS,Domain Controllers-Account Logon-Failure,{57EE544A-1408-4D96-80D2-C9E0F8DA51F2},DC_AL_LF_RESTRICTIONS,Domain Controllers-Account Logon-Failure/Account Logon Failure Workstation Restrictions,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4768)]] and *[EventData[Data[@Name='Status']='0xC']]</Select><Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4776)]] and *[EventData[Data[@Name='Status']='0xC0000070']]</Select>",Domain Controllers
+DC_AL_LF_EVENTS,Domain Controllers-Account Logon-Failure,{57EE544A-1408-4D96-80D2-C9E0F8DA51F2},DC_AL_LF_TGS,Domain Controllers-Account Logon-Failure/Account Logon Failure Kerberos TGS Failure,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4769)]]</Select><Suppress Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4769)]] and *[EventData[Data[@Name='Status']='0x0']]</Suppress>",Domain Controllers
+DC_AL_LS_EVENTS,Domain Controllers-Account Logon-Successful,{23A75316-1AE6-4B6C-9417-C3C7DD6BB730},DC_AL_LS_CV,Domain Controllers-Account Logon-Successful/Account Logon Success Credential Validation,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4776)]] and *[EventData[Data[@Name='Status']='0x0']]</Select>",Domain Controllers
+DC_AL_LS_EVENTS,Domain Controllers-Account Logon-Successful,{23A75316-1AE6-4B6C-9417-C3C7DD6BB730},DC_AL_LS_AS, Domain Controllers-Account Logon-Successful/Account Logon Success Kerberos AS,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4768)]] and *[EventData[Data[@Name='Status']='0x0']]</Select>",Domain Controllers
+DC_AL_LS_EVENTS,Domain Controllers-Account Logon-Successful,{23A75316-1AE6-4B6C-9417-C3C7DD6BB730},DC_AL_LS_TGS,Domain Controllers-Account Logon-Successful/Account Logon Success Kerberos TGS,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4769)]] and *[EventData[Data[@Name='Status']='0x0']]</Select>",Domain Controllers
 DC_AM_CM_EVENTS,Domain Controllers-Object Management-Computer,{FF41F360-52E6-4513-8D87-77B85A4FE6A1},DC_AM_CM_CHANGED,Domain Controllers-Object Management-Computer/Computer Changed,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4742)]]</Select>",Domain Controllers
 DC_AM_CM_EVENTS,Domain Controllers-Object Management-Computer,{FF41F360-52E6-4513-8D87-77B85A4FE6A1},DC_AM_CM_CREATED,Domain Controllers-Object Management-Computer/Computer Created,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4741)]]</Select>",Domain Controllers
 DC_AM_CM_EVENTS,Domain Controllers-Object Management-Computer,{FF41F360-52E6-4513-8D87-77B85A4FE6A1},DC_AM_CM_DELETED,Domain Controllers-Object Management-Computer/Computer Deleted,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4743)]]</Select>",Domain Controllers
@@ -51,4 +51,8 @@ DC_LL_LS_EVENTS,Domain Controllers-Logon-Success,{24ECD28C-778B-46C6-9486-17EF93
 DC_LL_LS_EVENTS,Domain Controllers-Logon-Success,{24ECD28C-778B-46C6-9486-17EF931F15A2},DC_LL_LS_UNLOCK,Domain Controllers-Logon-Success/Logon Success Unlock (7),Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4624)]] and *[EventData[Data[@Name='LogonType']='7']]</Select>",Domain Controllers
 DC_DS_EVENTS,Domain Controllers-Directory Services-LDAP Weak Binds,{22301b37-f278-404d-bd04-ff63c12796f1},DC_DS_LDAP_WEAKALLOWEDSUMMARY,Domain Controllers-Directory Services-LDAP Weak Binds/LDAP Weak Bind Allowed Summary,Directory Service,"<Select Path=""Directory Service"">*[System[Provider[@Name='Microsoft-Windows-ActiveDirectory_DomainService'] and (EventID=2887)]]</Select>",Domain Controllers
 DC_DS_EVENTS,Domain Controllers-Directory Services-LDAP Weak Binds,{22301b37-f278-404d-bd04-ff63c12796f1},DC_DS_LDAP_WEAKBLOCKEDSUMMARY,Domain Controllers-Directory Services-LDAP Weak Binds/LDAP Weak Bind Blocked Summary,Directory Service,"<Select Path=""Directory Service"">*[System[Provider[@Name='Microsoft-Windows-ActiveDirectory_DomainService'] and (EventID=2888)]]</Select>",Domain Controllers
-DC_DS_EVENTS,Domain Controllers-Directory Services-LDAP Weak Binds,{22301b37-f278-404d-bd04-ff63c12796f1},DC_DS_LDAP_WEAKATTEMPTED,Domain Controllers-Directory Services-LDAP Weak Binds/LDAP Weak Bind Attempted,Directory Service,"<Select Path=""Directory Service"">*[System[Provider[@Name='Microsoft-Windows-ActiveDirectory_DomainService'] and (EventID=2889)]]</Select>",Domain Controllers
+DC_DS_EVENTS,Domain Controllers-Directory Services-LDAP Weak Binds,{22301b37-f278-404d-bd04-ff63c12796f1},DC_DS_LDAP_WEAKATTEMPTED,Domain Controllers-Directory Services-LDAP Weak Binds/LDAP Weak Bind Attempted,Directory Service,"<Select Path=""Directory Service"">*[System[Provider[@Name='Microsoft-Windows-ActiveDirectory_DomainService'] and (EventID=2889)]]</Select>",Domain Controllers
+DC_DS_GP_EVENTS,Domain Controllers-Object Management-Group Policy,{17d03549-aeb3-46f2-9d10-2e3e1d694f38},DC_DS_GPC_CREATED,Domain Controllers-Object Management-Group Policy/Group Policy Container Created,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=5137)]] and *[EventData[Data[@Name='ObjectClass']='groupPolicyContainer']]</Select>",Domain Controllers
+DC_DS_GP_EVENTS,Domain Controllers-Object Management-Group Policy,{17d03549-aeb3-46f2-9d10-2e3e1d694f38},DC_DS_GPC_DELETED,Domain Controllers-Object Management-Group Policy/Group Policy Container Deleted,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=5141)]] and *[EventData[Data[@Name='ObjectClass']='groupPolicyContainer']]</Select>",Domain Controllers
+DC_DS_GP_EVENTS,Domain Controllers-Object Management-Group Policy,{17d03549-aeb3-46f2-9d10-2e3e1d694f38},DC_DS_GPC_CHANGED,Domain Controllers-Object Management-Group Policy/Group Policy Container Changed,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=5136)]] and *[EventData[Data[@Name='ObjectClass']='groupPolicyContainer']]</Select>",Domain Controllers
+DC_DS_GP_EVENTS,Domain Controllers-Object Management-Group Policy,{17d03549-aeb3-46f2-9d10-2e3e1d694f38},DC_DS_GPC_LINKED,Domain Controllers-Object Management-Group Policy/Group Policy Container Linked,Security,"<Select Path=""Security"">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=5136)]] and *[EventData[Data[@Name='ObjectClass']='organizationalUnit' and Data[@Name='AttributeLDAPDisplayName']='gPLink']]</Select>",Domain Controllers