Created
March 26, 2021 05:15
-
-
Save ryanmaclean/2ad2ab95328da65c10610fbee9f09866 to your computer and use it in GitHub Desktop.
Microsoft Windows Active Directory and Log Source Datadog YAML
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## All options defined here are available to all instances. | |
| # | |
| init_config: | |
| ## @param service - string - optional | |
| ## Attach the tag `service:<SERVICE>` to every metric, event, and service check emitted by this integration. | |
| ## | |
| ## Additionally, this sets the default `service` for every log source. | |
| # | |
| # service: <SERVICE> | |
| ## Every instance is scheduled independent of the others. | |
| # | |
| instances: | |
| ## @param host - string - required | |
| ## The host the Datadog Active Directory check connects to. | |
| ## "." means the current host | |
| # | |
| - host: . | |
| ## @param username - string - optional | |
| ## The username from the credentials needed to connect to the host. | |
| # | |
| # username: <USERNAME> | |
| ## @param password - string - optional | |
| ## The password from the credentials needed to connect to the host. | |
| # | |
| # password: <PASSWORD> | |
| ## @param additional_metrics - list of lists - optional | |
| ## The additional metrics is a list of items that represent additional counters to collect. | |
| ## Each item is a list of strings, formatted as follows: | |
| ## | |
| ## ['<COUNTERSET_NAME>', <COUNTER_INSTANCE_NAME>, '<COUNTER_NAME>', <METRIC_NAME>, <METRIC_TYPE>] | |
| ## | |
| ## <COUNTERSET_NAME> is the name of the PDH counter set (the name of the counter). | |
| ## <COUNTER_INSTANCE_NAME> is the specific counter instance to collect, for example | |
| ## "Default Web Site". Specify 'none' for all instances of | |
| ## the counter. | |
| ## <COUNTER_NAME> is the individual counter to report. | |
| ## <METRIC_NAME> is the name that displays in Datadog. | |
| ## <METRIC_TYPE> is from the standard choices for all Agent checks, such as gauge, | |
| ## rate, histogram, or count. | |
| # | |
| # additional_metrics: | |
| # - [NTDS, none, DS % Writes from LDAP, active_directory.ds.writes_from_ldap, gauge] | |
| ## @param counter_data_types - list of strings - optional | |
| ## counter_data_types is a list of <METRIC_NAME>,<DATA_TYPE> elements that | |
| ## allow the precision in which counters are queried on a per metric basis. | |
| ## <METRIC_NAME>: The name of your metric | |
| ## <DATA_TYPE> : The type of your metric (int or float) | |
| # | |
| # counter_data_types: | |
| # - [<METRIC_NAME>, <DATA_TYPE>] | |
| # - [active_directory.dra.inbound.bytes.total, int] | |
| # - [active_directory.ldap.bind_time, float] | |
| ## @param tags - list of strings - optional | |
| ## A list of tags to attach to every metric and service check emitted by this instance. | |
| ## | |
| ## Learn more about tagging at https://docs.datadoghq.com/tagging | |
| # | |
| tags: | |
| - env:hme | |
| - domain:"lab.local" | |
| ## @param service - string - optional | |
| ## Attach the tag `service:<SERVICE>` to every metric, event, and service check emitted by this integration. | |
| ## | |
| ## Overrides any `service` defined in the `init_config` section. | |
| # | |
| # service: <SERVICE> | |
| ## @param min_collection_interval - number - optional - default: 15 | |
| ## This changes the collection interval of the check. For more information, see: | |
| ## https://docs.datadoghq.com/developers/write_agent_check/#collection-interval | |
| # | |
| # min_collection_interval: 15 | |
| ## @param empty_default_hostname - boolean - optional - default: false | |
| ## This forces the check to send metrics with no hostname. | |
| ## | |
| ## This is useful for cluster-level checks. | |
| # | |
| # empty_default_hostname: false | |
| ## Log Section | |
| ## | |
| ## type - required - Type of log input source (tcp / udp / file / windows_event) | |
| ## port / path / channel_path - required - Set port if type is tcp or udp. | |
| ## Set path if type is file. | |
| ## Set channel_path if type is windows_event. | |
| ## source - required - Attribute that defines which Integration sent the logs. | |
| ## service - optional - The name of the service that generates the log. | |
| ## Overrides any `service` defined in the `init_config` section. | |
| ## tags - optional - Add tags to the collected logs. | |
| ## | |
| ## Discover Datadog log collection: https://docs.datadoghq.com/logs/log_collection/ | |
| # | |
| logs: | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-SystemDataArchiver/Diagnostic" | |
| source: "Microsoft-Windows-SystemDataArchiver/Diagnostic" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Security" | |
| source: "Security" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-ServerManagementExperience" | |
| source: "Microsoft-ServerManagementExperience" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "System" | |
| source: "System" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-PowerShell/Operational" | |
| source: "Microsoft-Windows-PowerShell/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-WinRM/Operational" | |
| source: "Microsoft-Windows-WinRM/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Kernel-IO/Operational" | |
| source: "Microsoft-Windows-Kernel-IO/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Store/Operational" | |
| source: "Microsoft-Windows-Store/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Diagnosis-PCW/Operational" | |
| source: "Microsoft-Windows-Diagnosis-PCW/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-ServerManager-MultiMachine/Operational" | |
| source: "Microsoft-Windows-ServerManager-MultiMachine/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational" | |
| source: "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-ServerManager-MgmtProvider/Operational" | |
| source: "Microsoft-Windows-ServerManager-MgmtProvider/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Storage-Storport/Operational" | |
| source: "Microsoft-Windows-Storage-Storport/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Application" | |
| source: "Application" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Windows PowerShell" | |
| source: "Windows PowerShell" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-WMI-Activity/Operational" | |
| source: "Microsoft-Windows-WMI-Activity/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Shell-Core/Operational" | |
| source: "Microsoft-Windows-Shell-Core/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Winlogon/Operational" | |
| source: "Microsoft-Windows-Winlogon/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-GroupPolicy/Operational" | |
| source: "Microsoft-Windows-GroupPolicy/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Storage-ClassPnP/Operational" | |
| source: "Microsoft-Windows-Storage-ClassPnP/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Windows Defender/Operational" | |
| source: "Microsoft-Windows-Windows Defender/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Time-Service/Operational" | |
| source: "Microsoft-Windows-Time-Service/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-UniversalTelemetryClient/Operational" | |
| source: "Microsoft-Windows-UniversalTelemetryClient/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-PushNotification-Platform/Operational" | |
| source: "Microsoft-Windows-PushNotification-Platform/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-AppXDeploymentServer/Operational" | |
| source: "Microsoft-Windows-AppXDeploymentServer/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Ntfs/Operational" | |
| source: "Microsoft-Windows-Ntfs/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" | |
| source: "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Shell-Core/AppDefaults" | |
| source: "Microsoft-Windows-Shell-Core/AppDefaults" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-LiveId/Operational" | |
| source: "Microsoft-Windows-LiveId/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Storage-Storport/Health" | |
| source: "Microsoft-Windows-Storage-Storport/Health" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-ManagementTools-TaskManagerProvider/Operational" | |
| source: "Microsoft-Windows-ManagementTools-TaskManagerProvider/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-ServerManager-DeploymentProvider/Operational" | |
| source: "Microsoft-Windows-ServerManager-DeploymentProvider/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-StateRepository/Operational" | |
| source: "Microsoft-Windows-StateRepository/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Bits-Client/Operational" | |
| source: "Microsoft-Windows-Bits-Client/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-VolumeSnapshot-Driver/Operational" | |
| source: "Microsoft-Windows-VolumeSnapshot-Driver/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-NetworkProfile/Operational" | |
| source: "Microsoft-Windows-NetworkProfile/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-AppXDeployment/Operational" | |
| source: "Microsoft-Windows-AppXDeployment/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-TaskScheduler/Operational" | |
| source: "Microsoft-Windows-TaskScheduler/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-DeviceSetupManager/Admin" | |
| source: "Microsoft-Windows-DeviceSetupManager/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Kernel-PnP/Configuration" | |
| source: "Microsoft-Windows-Kernel-PnP/Configuration" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | |
| source: "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Hyper-V-VmSwitch-Operational" | |
| source: "Microsoft-Windows-Hyper-V-VmSwitch-Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-SmbClient/Connectivity" | |
| source: "Microsoft-Windows-SmbClient/Connectivity" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Wcmsvc/Operational" | |
| source: "Microsoft-Windows-Wcmsvc/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Kernel-Boot/Operational" | |
| source: "Microsoft-Windows-Kernel-Boot/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-AppModel-Runtime/Admin" | |
| source: "Microsoft-Windows-AppModel-Runtime/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-TaskScheduler/Maintenance" | |
| source: "Microsoft-Windows-TaskScheduler/Maintenance" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Crypto-DPAPI/Operational" | |
| source: "Microsoft-Windows-Crypto-DPAPI/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-WindowsUpdateClient/Operational" | |
| source: "Microsoft-Windows-WindowsUpdateClient/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-AppReadiness/Admin" | |
| source: "Microsoft-Windows-AppReadiness/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Known Folders API Service" | |
| source: "Microsoft-Windows-Known Folders API Service" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-User Profile Service/Operational" | |
| source: "Microsoft-Windows-User Profile Service/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Security-Mitigations/KernelMode" | |
| source: "Microsoft-Windows-Security-Mitigations/KernelMode" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-StorageManagement/Operational" | |
| source: "Microsoft-Windows-StorageManagement/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-SettingSync/Debug" | |
| source: "Microsoft-Windows-SettingSync/Debug" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational" | |
| source: "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" | |
| source: "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-DirectoryServices-Deployment/Operational" | |
| source: "Microsoft-Windows-DirectoryServices-Deployment/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Client-Licensing-Platform/Admin" | |
| source: "Microsoft-Client-Licensing-Platform/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Win32k/Operational" | |
| source: "Microsoft-Windows-Win32k/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-SMBServer/Operational" | |
| source: "Microsoft-Windows-SMBServer/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Setup" | |
| source: "Setup" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-DNSServer/Audit" | |
| source: "Microsoft-Windows-DNSServer/Audit" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-VHDMP-Operational" | |
| source: "Microsoft-Windows-VHDMP-Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Partition/Diagnostic" | |
| source: "Microsoft-Windows-Partition/Diagnostic" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Host-Network-Service-Admin" | |
| source: "Microsoft-Windows-Host-Network-Service-Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Directory Service" | |
| source: "Directory Service" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-HelloForBusiness/Operational" | |
| source: "Microsoft-Windows-HelloForBusiness/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-User Device Registration/Admin" | |
| source: "Microsoft-Windows-User Device Registration/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-AppxPackaging/Operational" | |
| source: "Microsoft-Windows-AppxPackaging/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-AppReadiness/Operational" | |
| source: "Microsoft-Windows-AppReadiness/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Biometrics/Operational" | |
| source: "Microsoft-Windows-Biometrics/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-DeviceSetupManager/Operational" | |
| source: "Microsoft-Windows-DeviceSetupManager/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Hyper-V-Compute-Operational" | |
| source: "Microsoft-Windows-Hyper-V-Compute-Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-CodeIntegrity/Operational" | |
| source: "Microsoft-Windows-CodeIntegrity/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Resource-Exhaustion-Detector/Operational" | |
| source: "Microsoft-Windows-Resource-Exhaustion-Detector/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Kernel-WHEA/Operational" | |
| source: "Microsoft-Windows-Kernel-WHEA/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-StorageSpaces-Driver/Operational" | |
| source: "Microsoft-Windows-StorageSpaces-Driver/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "DNS Server" | |
| source: "DNS Server" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-WebAuthN/Operational" | |
| source: "Microsoft-Windows-WebAuthN/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Diagnosis-DPS/Operational" | |
| source: "Microsoft-Windows-Diagnosis-DPS/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "DFS Replication" | |
| source: "DFS Replication" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-SmartCard-DeviceEnum/Operational" | |
| source: "Microsoft-Windows-SmartCard-DeviceEnum/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-NCSI/Operational" | |
| source: "Microsoft-Windows-NCSI/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Active Directory Web Services" | |
| source: "Active Directory Web Services" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallDiagnostics" | |
| source: "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallDiagnostics" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Containers-Wcifs/Operational" | |
| source: "Microsoft-Windows-Containers-Wcifs/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Ntfs/WHC" | |
| source: "Microsoft-Windows-Ntfs/WHC" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-MUI/Operational" | |
| source: "Microsoft-Windows-MUI/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-UserPnp/DeviceInstall" | |
| source: "Microsoft-Windows-UserPnp/DeviceInstall" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-LanguagePackSetup/Operational" | |
| source: "Microsoft-Windows-LanguagePackSetup/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational" | |
| source: "Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Hyper-V-Compute-Admin" | |
| source: "Microsoft-Windows-Hyper-V-Compute-Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin" | |
| source: "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-ManagementTools-RegistryProvider/Operational" | |
| source: "Microsoft-Windows-ManagementTools-RegistryProvider/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational" | |
| source: "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter" | |
| source: "Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Diagnosis-Scheduled/Operational" | |
| source: "Microsoft-Windows-Diagnosis-Scheduled/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-TWinUI/Operational" | |
| source: "Microsoft-Windows-TWinUI/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-WER-PayloadHealth/Operational" | |
| source: "Microsoft-Windows-WER-PayloadHealth/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-DAL-Provider/Operational" | |
| source: "Microsoft-Windows-DAL-Provider/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Dhcp-Client/Admin" | |
| source: "Microsoft-Windows-Dhcp-Client/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-WFP/Operational" | |
| source: "Microsoft-Windows-WFP/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-AAD/Operational" | |
| source: "Microsoft-Windows-AAD/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Diagnosis-Scripted/Operational" | |
| source: "Microsoft-Windows-Diagnosis-Scripted/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-TZSync/Operational" | |
| source: "Microsoft-Windows-TZSync/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin" | |
| source: "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-International/Operational" | |
| source: "Microsoft-Windows-International/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-DataIntegrityScan/Admin" | |
| source: "Microsoft-Windows-DataIntegrityScan/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Forwarding/Operational" | |
| source: "Microsoft-Windows-Forwarding/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Application-Experience/Program-Telemetry" | |
| source: "Microsoft-Windows-Application-Experience/Program-Telemetry" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc" | |
| source: "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Kernel-ShimEngine/Operational" | |
| source: "Microsoft-Windows-Kernel-ShimEngine/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-PrintService/Admin" | |
| source: "Microsoft-Windows-PrintService/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-HomeGroup Control Panel/Operational" | |
| source: "Microsoft-Windows-HomeGroup Control Panel/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Containers-Wcnfs/Operational" | |
| source: "Microsoft-Windows-Containers-Wcnfs/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-SettingSync/Operational" | |
| source: "Microsoft-Windows-SettingSync/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-SMBWitnessClient/Admin" | |
| source: "Microsoft-Windows-SMBWitnessClient/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Containers-BindFlt/Operational" | |
| source: "Microsoft-Windows-Containers-BindFlt/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Diagnosis-Scripted/Admin" | |
| source: "Microsoft-Windows-Diagnosis-Scripted/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-PushNotification-Platform/Admin" | |
| source: "Microsoft-Windows-PushNotification-Platform/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-PackageStateRoaming/Operational" | |
| source: "Microsoft-Windows-PackageStateRoaming/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational" | |
| source: "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-OOBE-Machine-DUI/Operational" | |
| source: "Microsoft-Windows-OOBE-Machine-DUI/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-PriResources-Deployment/Operational" | |
| source: "Microsoft-Windows-PriResources-Deployment/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-VPN-Client/Operational" | |
| source: "Microsoft-Windows-VPN-Client/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin" | |
| source: "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade" | |
| source: "Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin" | |
| source: "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-TZUtil/Operational" | |
| source: "Microsoft-Windows-TZUtil/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-NTLM/Operational" | |
| source: "Microsoft-Windows-NTLM/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-ReFS/Operational" | |
| source: "Microsoft-Windows-ReFS/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-SettingSync-OneDrive/Operational" | |
| source: "Microsoft-Windows-SettingSync-OneDrive/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-SystemSettingsThreshold/Operational" | |
| source: "Microsoft-Windows-SystemSettingsThreshold/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-OfflineFiles/Operational" | |
| source: "Microsoft-Windows-OfflineFiles/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Volume/Diagnostic" | |
| source: "Microsoft-Windows-Volume/Diagnostic" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-ReadyBoost/Operational" | |
| source: "Microsoft-Windows-ReadyBoost/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-TCPIP/Operational" | |
| source: "Microsoft-Windows-TCPIP/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-TerminalServices-Printers/Operational" | |
| source: "Microsoft-Windows-TerminalServices-Printers/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-PersistentMemory-ScmBus/Certification" | |
| source: "Microsoft-Windows-PersistentMemory-ScmBus/Certification" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Policy/Operational" | |
| source: "Microsoft-Windows-Policy/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/..." | |
| source: "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/..." | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-PersistentMemory-PmemDisk/Operational" | |
| source: "Microsoft-Windows-PersistentMemory-PmemDisk/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational" | |
| source: "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-TerminalServices-SessionBroker-Client/Admin" | |
| source: "Microsoft-Windows-TerminalServices-SessionBroker-Client/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin" | |
| source: "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-TerminalServices-RDPClient/Operational" | |
| source: "Microsoft-Windows-TerminalServices-RDPClient/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-TerminalServices-SessionBroker-Client/Operational" | |
| source: "Microsoft-Windows-TerminalServices-SessionBroker-Client/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-TerminalServices-PnPDevices/Admin" | |
| source: "Microsoft-Windows-TerminalServices-PnPDevices/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-TerminalServices-PnPDevices/Operational" | |
| source: "Microsoft-Windows-TerminalServices-PnPDevices/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-PrintBRM/Admin" | |
| source: "Microsoft-Windows-PrintBRM/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-VPN/Operational" | |
| source: "Microsoft-Windows-VPN/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Time-Service-PTP-Provider/PTP-Operational" | |
| source: "Microsoft-Windows-Time-Service-PTP-Provider/PTP-Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-TerminalServices-Printers/Admin" | |
| source: "Microsoft-Windows-TerminalServices-Printers/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-PersistentMemory-Nvdimm/Operational" | |
| source: "Microsoft-Windows-PersistentMemory-Nvdimm/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-PerceptionSensorDataService/Operational" | |
| source: "Microsoft-Windows-PerceptionSensorDataService/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-PowerShell/Admin" | |
| source: "Microsoft-Windows-PowerShell/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-PerceptionRuntime/Operational" | |
| source: "Microsoft-Windows-PerceptionRuntime/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-SettingSync-Azure/Debug" | |
| source: "Microsoft-Windows-SettingSync-Azure/Debug" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-SMBServer/Security" | |
| source: "Microsoft-Windows-SMBServer/Security" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-UserPnp/ActionCenter" | |
| source: "Microsoft-Windows-UserPnp/ActionCenter" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-SMBServer/Connectivity" | |
| source: "Microsoft-Windows-SMBServer/Connectivity" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-SettingSync-OneDrive/Debug" | |
| source: "Microsoft-Windows-SettingSync-OneDrive/Debug" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-SettingSync-Azure/Operational" | |
| source: "Microsoft-Windows-SettingSync-Azure/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-SMBWitnessClient/Informational" | |
| source: "Microsoft-Windows-SMBWitnessClient/Informational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-UAC/Operational" | |
| source: "Microsoft-Windows-UAC/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-ServerManager-ConfigureSMRemoting/Operational" | |
| source: "Microsoft-Windows-ServerManager-ConfigureSMRemoting/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-SenseIR/Operational" | |
| source: "Microsoft-Windows-SenseIR/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-ServerManager-MultiMachine/Admin" | |
| source: "Microsoft-Windows-ServerManager-MultiMachine/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-StateRepository/Restricted" | |
| source: "Microsoft-Windows-StateRepository/Restricted" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-User Control Panel/Operational" | |
| source: "Microsoft-Windows-User Control Panel/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational" | |
| source: "Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-User-Loader/Operational" | |
| source: "Microsoft-Windows-User-Loader/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Shell-Core/LogonTasksChannel" | |
| source: "Microsoft-Windows-Shell-Core/LogonTasksChannel" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-SmartCard-Audit/Authentication" | |
| source: "Microsoft-Windows-SmartCard-Audit/Authentication" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-SilProvider/Operational" | |
| source: "Microsoft-Windows-SilProvider/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin" | |
| source: "Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-SmbClient/Audit" | |
| source: "Microsoft-Windows-SmbClient/Audit" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-SmbClient/Security" | |
| source: "Microsoft-Windows-SmbClient/Security" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-SMBDirect/Admin" | |
| source: "Microsoft-Windows-SMBDirect/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-SMBServer/Audit" | |
| source: "Microsoft-Windows-SMBServer/Audit" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Shell-Core/ActionCenter" | |
| source: "Microsoft-Windows-Shell-Core/ActionCenter" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter" | |
| source: "Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-SMBClient/Operational" | |
| source: "Microsoft-Windows-SMBClient/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-UAC-FileVirtualization/Operational" | |
| source: "Microsoft-Windows-UAC-FileVirtualization/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-StorageSpaces-Api/Operational" | |
| source: "Microsoft-Windows-StorageSpaces-Api/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-StorageSpaces-Driver/Diagnostic" | |
| source: "Microsoft-Windows-StorageSpaces-Driver/Diagnostic" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin" | |
| source: "Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Security-Adminless/Operational" | |
| source: "Microsoft-Windows-Security-Adminless/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-SearchUI/Operational" | |
| source: "Microsoft-Windows-SearchUI/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-RestartManager/Operational" | |
| source: "Microsoft-Windows-RestartManager/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-StorageSpaces-ManagementAgent/WHC" | |
| source: "Microsoft-Windows-StorageSpaces-ManagementAgent/WHC" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-StorageSpaces-SpaceManager/Operational" | |
| source: "Microsoft-Windows-StorageSpaces-SpaceManager/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-RemoteApp and Desktop Connections/Admin" | |
| source: "Microsoft-Windows-RemoteApp and Desktop Connections/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Regsvr32/Operational" | |
| source: "Microsoft-Windows-Regsvr32/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin" | |
| source: "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-RemoteApp and Desktop Connections/Operational" | |
| source: "Microsoft-Windows-RemoteApp and Desktop Connections/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic" | |
| source: "Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Security-UserConsentVerifier/Audit" | |
| source: "Microsoft-Windows-Security-UserConsentVerifier/Audit" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational" | |
| source: "Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Security-Netlogon/Operational" | |
| source: "Microsoft-Windows-Security-Netlogon/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Storage-Tiering/Admin" | |
| source: "Microsoft-Windows-Storage-Tiering/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-SENSE/Operational" | |
| source: "Microsoft-Windows-SENSE/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-SecurityMitigationsBroker/Operational" | |
| source: "Microsoft-Windows-SecurityMitigationsBroker/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Security-Mitigations/UserMode" | |
| source: "Microsoft-Windows-Security-Mitigations/UserMode" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-VerifyHardwareSecurity/Admin" | |
| source: "Microsoft-Windows-VerifyHardwareSecurity/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational" | |
| source: "Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Security-Audit-Configuration-Client/Operational" | |
| source: "Microsoft-Windows-Security-Audit-Configuration-Client/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-StorageManagement-PartUtil/Operational" | |
| source: "Microsoft-Windows-StorageManagement-PartUtil/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational" | |
| source: "Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-VDRVROOT/Operational" | |
| source: "Microsoft-Windows-VDRVROOT/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-NlaSvc/Operational" | |
| source: "Microsoft-Windows-NlaSvc/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Bluetooth-MTPEnum/Operational" | |
| source: "Microsoft-Windows-Bluetooth-MTPEnum/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Bluetooth-Policy/Operational" | |
| source: "Microsoft-Windows-Bluetooth-Policy/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-WMPNSS-Service/Operational" | |
| source: "Microsoft-Windows-WMPNSS-Service/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational" | |
| source: "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-CertificateServices-Deployment/Operational" | |
| source: "Microsoft-Windows-CertificateServices-Deployment/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Winsock-WS2HELP/Operational" | |
| source: "Microsoft-Windows-Winsock-WS2HELP/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-BranchCacheSMB/Operational" | |
| source: "Microsoft-Windows-BranchCacheSMB/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Wired-AutoConfig/Operational" | |
| source: "Microsoft-Windows-Wired-AutoConfig/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-WPD-CompositeClassDriver/Operational" | |
| source: "Microsoft-Windows-WPD-CompositeClassDriver/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-BackgroundTaskInfrastructure/Operational" | |
| source: "Microsoft-Windows-BackgroundTaskInfrastructure/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "OpenSSH/Admin" | |
| source: "OpenSSH/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-WPD-MTPClassDriver/Operational" | |
| source: "Microsoft-Windows-WPD-MTPClassDriver/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Workplace Join/Admin" | |
| source: "Microsoft-Windows-Workplace Join/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-BestPractices/Operational" | |
| source: "Microsoft-Windows-BestPractices/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-WPD-ClassInstaller/Operational" | |
| source: "Microsoft-Windows-WPD-ClassInstaller/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Backup" | |
| source: "Microsoft-Windows-Backup" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational" | |
| source: "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Devices-Background/Operational" | |
| source: "Microsoft-Windows-Devices-Background/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-DeviceSync/Operational" | |
| source: "Microsoft-Windows-DeviceSync/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-DeviceGuard/Operational" | |
| source: "Microsoft-Windows-DeviceGuard/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational" | |
| source: "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-WinINet-Config/ProxyConfigChanged" | |
| source: "Microsoft-Windows-WinINet-Config/ProxyConfigChanged" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Dhcpv6-Client/Admin" | |
| source: "Microsoft-Windows-Dhcpv6-Client/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-DeviceUpdateAgent/Operational" | |
| source: "Microsoft-Windows-DeviceUpdateAgent/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-DFSN-Server/Admin" | |
| source: "Microsoft-Windows-DFSN-Server/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Compat-Appraiser/Operational" | |
| source: "Microsoft-Windows-Compat-Appraiser/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-CoreApplication/Operational" | |
| source: "Microsoft-Windows-CoreApplication/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational" | |
| source: "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-CloudStore/Operational" | |
| source: "Microsoft-Windows-CloudStore/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-DataIntegrityScan/CrashRecovery" | |
| source: "Microsoft-Windows-DataIntegrityScan/CrashRecovery" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-DateTimeControlPanel/Operational" | |
| source: "Microsoft-Windows-DateTimeControlPanel/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-CorruptedFileRecovery-Client/Operational" | |
| source: "Microsoft-Windows-CorruptedFileRecovery-Client/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-CorruptedFileRecovery-Server/Operational" | |
| source: "Microsoft-Windows-CorruptedFileRecovery-Server/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Authentication User Interface/Operational" | |
| source: "Microsoft-Windows-Authentication User Interface/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-User Experience Virtualization-IPC/Operational" | |
| source: "Microsoft-User Experience Virtualization-IPC/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-User Experience Virtualization-SQM Uploader/Operational" | |
| source: "Microsoft-User Experience Virtualization-SQM Uploader/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-User Experience Virtualization-Agent Driver/Operational" | |
| source: "Microsoft-User Experience Virtualization-Agent Driver/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-User Experience Virtualization-App Agent/Operational" | |
| source: "Microsoft-User Experience Virtualization-App Agent/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-AppHost/Admin" | |
| source: "Microsoft-Windows-AppHost/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-AppID/Operational" | |
| source: "Microsoft-Windows-AppID/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-All-User-Install-Agent/Admin" | |
| source: "Microsoft-Windows-All-User-Install-Agent/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-AllJoyn/Operational" | |
| source: "Microsoft-Windows-AllJoyn/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Key Management Service" | |
| source: "Key Management Service" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-AppV-Client/Admin" | |
| source: "Microsoft-AppV-Client/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "HardwareEvents" | |
| source: "HardwareEvents" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Internet Explorer" | |
| source: "Internet Explorer" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Rdms-UI/Admin" | |
| source: "Microsoft-Rdms-UI/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Rdms-UI/Operational" | |
| source: "Microsoft-Rdms-UI/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-AppV-Client/Operational" | |
| source: "Microsoft-AppV-Client/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-AppV-Client/Virtual Applications" | |
| source: "Microsoft-AppV-Client/Virtual Applications" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-ApplicabilityEngine/Operational" | |
| source: "Microsoft-Windows-ApplicabilityEngine/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-AppXDeploymentServer/Restricted" | |
| source: "Microsoft-Windows-AppXDeploymentServer/Restricted" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "SMSApi" | |
| source: "SMSApi" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-AppLocker/Packaged app-Deployment" | |
| source: "Microsoft-Windows-AppLocker/Packaged app-Deployment" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-AppLocker/Packaged app-Execution" | |
| source: "Microsoft-Windows-AppLocker/Packaged app-Execution" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Audio/Operational" | |
| source: "Microsoft-Windows-Audio/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Audio/PlaybackManager" | |
| source: "Microsoft-Windows-Audio/PlaybackManager" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Audio/CaptureMonitor" | |
| source: "Microsoft-Windows-Audio/CaptureMonitor" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "OpenSSH/Operational" | |
| source: "OpenSSH/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant" | |
| source: "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter" | |
| source: "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Application Server-Applications/Admin" | |
| source: "Microsoft-Windows-Application Server-Applications/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Application Server-Applications/Operational" | |
| source: "Microsoft-Windows-Application Server-Applications/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-AppLocker/EXE and DLL" | |
| source: "Microsoft-Windows-AppLocker/EXE and DLL" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-AppLocker/MSI and Script" | |
| source: "Microsoft-Windows-AppLocker/MSI and Script" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Application-Experience/Program-Inventory" | |
| source: "Microsoft-Windows-Application-Experience/Program-Inventory" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Application-Experience/Steps-Recorder" | |
| source: "Microsoft-Windows-Application-Experience/Steps-Recorder" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Hyper-V-Hypervisor-Admin" | |
| source: "Microsoft-Windows-Hyper-V-Hypervisor-Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Hyper-V-Guest-Drivers/Admin" | |
| source: "Microsoft-Windows-Hyper-V-Guest-Drivers/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-MsLbfoProvider/Operational" | |
| source: "Microsoft-Windows-MsLbfoProvider/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Hyper-V-Hypervisor-Operational" | |
| source: "Microsoft-Windows-Hyper-V-Hypervisor-Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational" | |
| source: "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-IKE/Operational" | |
| source: "Microsoft-Windows-IKE/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-IdCtrls/Operational" | |
| source: "Microsoft-Windows-IdCtrls/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Host-Network-Service-Operational" | |
| source: "Microsoft-Windows-Host-Network-Service-Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-FileShareShadowCopyProvider/Operational" | |
| source: "Microsoft-Windows-FileShareShadowCopyProvider/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-FileServices-ServerManager-EventProvider/Operational" | |
| source: "Microsoft-Windows-FileServices-ServerManager-EventProvider/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-FileServices-ServerManager-EventProvider/Admin" | |
| source: "Microsoft-Windows-FileServices-ServerManager-EventProvider/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-FMS/Operational" | |
| source: "Microsoft-Windows-FMS/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Help/Operational" | |
| source: "Microsoft-Windows-Help/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-GenericRoaming/Admin" | |
| source: "Microsoft-Windows-GenericRoaming/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Folder Redirection/Operational" | |
| source: "Microsoft-Windows-Folder Redirection/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Kernel-WHEA/Errors" | |
| source: "Microsoft-Windows-Kernel-WHEA/Errors" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Kernel-WDI/Operational" | |
| source: "Microsoft-Windows-Kernel-WDI/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Kernel-StoreMgr/Operational" | |
| source: "Microsoft-Windows-Kernel-StoreMgr/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-MemoryDiagnostics-Results/Debug" | |
| source: "Microsoft-Windows-MemoryDiagnostics-Results/Debug" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Mobile-Broadband-Experience-SmsRouter/Admin" | |
| source: "Microsoft-Windows-Mobile-Broadband-Experience-SmsRouter/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational" | |
| source: "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-MiStreamProvider/Operational" | |
| source: "Microsoft-Windows-MiStreamProvider/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Kernel-Power/Thermal-Operational" | |
| source: "Microsoft-Windows-Kernel-Power/Thermal-Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Mprddm/Operational" | |
| source: "Microsoft-Windows-Mprddm/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-KdsSvc/Operational" | |
| source: "Microsoft-Windows-KdsSvc/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Iphlpsvc/Operational" | |
| source: "Microsoft-Windows-Iphlpsvc/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity" | |
| source: "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Kernel-EventTracing/Admin" | |
| source: "Microsoft-Windows-Kernel-EventTracing/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Kernel-ApphelpCache/Operational" | |
| source: "Microsoft-Windows-Kernel-ApphelpCache/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Windows Defender/WHC" | |
| source: "Microsoft-Windows-Windows Defender/WHC" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-FederationServices-Deployment/Operational" | |
| source: "Microsoft-Windows-FederationServices-Deployment/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-EapHost/Operational" | |
| source: "Microsoft-Windows-EapHost/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-DSC/Operational" | |
| source: "Microsoft-Windows-DSC/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-NdisImPlatform/Operational" | |
| source: "Microsoft-Windows-NdisImPlatform/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-EapMethods-RasChap/Operational" | |
| source: "Microsoft-Windows-EapMethods-RasChap/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-NetworkProvider/Operational" | |
| source: "Microsoft-Windows-NetworkProvider/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-EapMethods-Sim/Operational" | |
| source: "Microsoft-Windows-EapMethods-Sim/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-EapMethods-RasTls/Operational" | |
| source: "Microsoft-Windows-EapMethods-RasTls/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-DSC/Admin" | |
| source: "Microsoft-Windows-DSC/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Diagnostics-Networking/Operational" | |
| source: "Microsoft-Windows-Diagnostics-Networking/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational" | |
| source: "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Diagnosis-PLA/Operational" | |
| source: "Microsoft-Windows-Diagnosis-PLA/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-DiskDiagnostic/Operational" | |
| source: "Microsoft-Windows-DiskDiagnostic/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-NetworkLocationWizard/Operational" | |
| source: "Microsoft-Windows-NetworkLocationWizard/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-DiskDiagnosticResolver/Operational" | |
| source: "Microsoft-Windows-DiskDiagnosticResolver/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-DiskDiagnosticDataCollector/Operational" | |
| source: "Microsoft-Windows-DiskDiagnosticDataCollector/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-MUI/Admin" | |
| source: "Microsoft-Windows-MUI/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-EnrollmentWebService/Admin" | |
| source: "Microsoft-Windows-EnrollmentWebService/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-FeatureConfiguration/Operational" | |
| source: "Microsoft-Windows-FeatureConfiguration/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Fault-Tolerant-Heap/Operational" | |
| source: "Microsoft-Windows-Fault-Tolerant-Heap/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-EventCollector/Operational" | |
| source: "Microsoft-Windows-EventCollector/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-EnrollmentPolicyWebService/Admin" | |
| source: "Microsoft-Windows-EnrollmentPolicyWebService/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-EDP-Application-Learning/Admin" | |
| source: "Microsoft-Windows-EDP-Application-Learning/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-EapMethods-Ttls/Operational" | |
| source: "Microsoft-Windows-EapMethods-Ttls/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-WindowsSystemAssessmentTool/Operational" | |
| source: "Microsoft-Windows-WindowsSystemAssessmentTool/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-EDP-Audit-TCB/Admin" | |
| source: "Microsoft-Windows-EDP-Audit-TCB/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-EDP-Audit-Regular/Admin" | |
| source: "Microsoft-Windows-EDP-Audit-Regular/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-WEPHOSTSVC/Operational" | |
| source: "Microsoft-Windows-WEPHOSTSVC/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Windows Networking Vpn Plugin Platform/OperationalVerbose" | |
| source: "Windows Networking Vpn Plugin Platform/OperationalVerbose" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-WebIO-NDF/Diagnostic" | |
| source: "Microsoft-Windows-WebIO-NDF/Diagnostic" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-WebAuth/Operational" | |
| source: "Microsoft-Windows-WebAuth/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Windows Networking Vpn Plugin Platform/Operational" | |
| source: "Windows Networking Vpn Plugin Platform/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-WinINet-Capture/Analytic" | |
| source: "Microsoft-Windows-WinINet-Capture/Analytic" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Winsock-AFD/Operational" | |
| source: "Microsoft-Windows-Winsock-AFD/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Winsock-NameResolution/Operational" | |
| source: "Microsoft-Windows-Winsock-NameResolution/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-WinNat/Oper" | |
| source: "Microsoft-Windows-WinNat/Oper" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-WinHTTP-NDF/Diagnostic" | |
| source: "Microsoft-Windows-WinHTTP-NDF/Diagnostic" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-WindowsUIImmersive/Operational" | |
| source: "Microsoft-Windows-WindowsUIImmersive/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-VerifyHardwareSecurity/Operational" | |
| source: "Microsoft-Windows-VerifyHardwareSecurity/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose" | |
| source: "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurit..." | |
| source: "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurit..." | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-WindowsColorSystem/Operational" | |
| source: "Microsoft-Windows-WindowsColorSystem/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Wordpad/Admin" | |
| source: "Microsoft-Windows-Wordpad/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Network Isolation Operational" | |
| source: "Network Isolation Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Crypto-NCrypt/Operational" | |
| source: "Microsoft-Windows-Crypto-NCrypt/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-DFSN-Server/Operational" | |
| source: "Microsoft-Windows-DFSN-Server/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Dhcp-Client/Operational" | |
| source: "Microsoft-Windows-Dhcp-Client/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Crypto-DPAPI/Debug" | |
| source: "Microsoft-Windows-Crypto-DPAPI/Debug" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational" | |
| source: "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-CertPoleEng/Operational" | |
| source: "Microsoft-Windows-CertPoleEng/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-CloudStore/Debug" | |
| source: "Microsoft-Windows-CloudStore/Debug" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Dhcpv6-Client/Operational" | |
| source: "Microsoft-Windows-Dhcpv6-Client/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-glcnd/Admin" | |
| source: "Microsoft-Windows-glcnd/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-HttpService/Log" | |
| source: "Microsoft-Windows-HttpService/Log" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-HttpService/Trace" | |
| source: "Microsoft-Windows-HttpService/Trace" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-ESE/Operational" | |
| source: "Microsoft-Windows-ESE/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-DisplayColorCalibration/Operational" | |
| source: "Microsoft-Windows-DisplayColorCalibration/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-DNS-Client/Operational" | |
| source: "Microsoft-Windows-DNS-Client/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-DriverFrameworks-UserMode/Operational" | |
| source: "Microsoft-Windows-DriverFrameworks-UserMode/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Audio/Informational" | |
| source: "Microsoft-Windows-Audio/Informational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController" | |
| source: "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Authentication/ProtectedUser-Client" | |
| source: "Microsoft-Windows-Authentication/ProtectedUser-Client" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Audio/GlitchDetection" | |
| source: "Microsoft-Windows-Audio/GlitchDetection" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "ForwardedEvents" | |
| source: "ForwardedEvents" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Management-UI/Admin" | |
| source: "Microsoft-Management-UI/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-ASN1/Operational" | |
| source: "Microsoft-Windows-ASN1/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController" | |
| source: "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Bits-Client/Analytic" | |
| source: "Microsoft-Windows-Bits-Client/Analytic" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Bluetooth-Bthmini/Operational" | |
| source: "Microsoft-Windows-Bluetooth-Bthmini/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-CAPI2/Operational" | |
| source: "Microsoft-Windows-CAPI2/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational" | |
| source: "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController" | |
| source: "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational" | |
| source: "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational" | |
| source: "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational" | |
| source: "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Security-IdentityListener/Operational" | |
| source: "Microsoft-Windows-Security-IdentityListener/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-SecurityMitigationsBroker/Admin" | |
| source: "Microsoft-Windows-SecurityMitigationsBroker/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-RRAS/Operational" | |
| source: "Microsoft-Windows-RRAS/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Proximity-Common/Diagnostic" | |
| source: "Microsoft-Windows-Proximity-Common/Diagnostic" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-RasAgileVpn/Operational" | |
| source: "Microsoft-Windows-RasAgileVpn/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Remotefs-Rdbss/Operational" | |
| source: "Microsoft-Windows-Remotefs-Rdbss/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-ServiceReportingApi/Debug" | |
| source: "Microsoft-Windows-ServiceReportingApi/Debug" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Storage-Disk/Admin" | |
| source: "Microsoft-Windows-Storage-Disk/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Storage-Disk/Operational" | |
| source: "Microsoft-Windows-Storage-Disk/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Storage-Storport/Admin" | |
| source: "Microsoft-Windows-Storage-Storport/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Storage-ClassPnP/Admin" | |
| source: "Microsoft-Windows-Storage-ClassPnP/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-SmartScreen/Debug" | |
| source: "Microsoft-Windows-SmartScreen/Debug" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Storage-ATAPort/Admin" | |
| source: "Microsoft-Windows-Storage-ATAPort/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Storage-ATAPort/Operational" | |
| source: "Microsoft-Windows-Storage-ATAPort/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational" | |
| source: "Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-LSA/Operational" | |
| source: "Microsoft-Windows-LSA/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-MediaFoundation-Performance/SARStreamResource" | |
| source: "Microsoft-Windows-MediaFoundation-Performance/SARStreamResource" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Kerberos/Operational" | |
| source: "Microsoft-Windows-Kerberos/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Hyper-V-Guest-Drivers/Operational" | |
| source: "Microsoft-Windows-Hyper-V-Guest-Drivers/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Kerberos-KdcProxy/Operational" | |
| source: "Microsoft-Windows-Kerberos-KdcProxy/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Kerberos-Key-Distribution-Center/Operational" | |
| source: "Microsoft-Windows-Kerberos-Key-Distribution-Center/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-MSPaint/Admin" | |
| source: "Microsoft-Windows-MSPaint/Admin" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-PersistentMemory-ScmBus/Operational" | |
| source: "Microsoft-Windows-PersistentMemory-ScmBus/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-PrintService/Operational" | |
| source: "Microsoft-Windows-PrintService/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Program-Compatibility-Assistant/Analytic" | |
| source: "Microsoft-Windows-Program-Compatibility-Assistant/Analytic" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-OtpCredentialProvider/Operational" | |
| source: "Microsoft-Windows-OtpCredentialProvider/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-Ncasvc/Operational" | |
| source: "Microsoft-Windows-Ncasvc/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-NDIS/Operational" | |
| source: "Microsoft-Windows-NDIS/Operational" | |
| service: activedirectory | |
| - type: windows_event | |
| channel_path: "Microsoft-Windows-OneX/Operational" | |
| source: "Microsoft-Windows-OneX/Operational" | |
| service: activedirectory |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment