Implement data collection rule for WDAC
This commit is contained in:
Jimmy Fitzsimmons
Родитель
b31140fe50
Коммит
75aa308ba2
|
|
@ -508,6 +508,46 @@
|
|||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"apiVersion": "2021-04-01",
|
||||
"type": "Microsoft.Insights/dataCollectionRules",
|
||||
"name": "DCR-WDACEvents",
|
||||
"kind": "Windows",
|
||||
"location": "[parameters('workspaceRegion')]",
|
||||
"properties": {
|
||||
"dataSources": {
|
||||
"windowsEventLogs": [
|
||||
{
|
||||
"streams": [
|
||||
"Microsoft-WindowsEvent"
|
||||
],
|
||||
"xPathQueries": [
|
||||
"$XPath = 'Microsoft-Windows-CodeIntegrity/Operational!*[System[((EventID=3077 or EventID=3092 or EventID=3099))]]'!*"
|
||||
],
|
||||
"name": "WDACEvents"
|
||||
}
|
||||
]
|
||||
},
|
||||
"destinations": {
|
||||
"logAnalytics": [
|
||||
{
|
||||
"workspaceResourceId": "[parameters('workspaceResourceId')]",
|
||||
"name": "[variables('workspaceName')]"
|
||||
}
|
||||
]
|
||||
},
|
||||
"dataFlows": [
|
||||
{
|
||||
"streams": [
|
||||
"Microsoft-Event"
|
||||
],
|
||||
"destinations": [
|
||||
"[variables('workspaceName')]"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
Загрузка…
Ссылка в новой задаче