Microsoft.FEP.SecurityRootCause.MalwareActivity.ActiveMalwareMonitorType (UnitMonitorType)

Element properties:

Member Modules:

Overrideable Parameters:

Source Code:

<UnitMonitorType ID="Microsoft.FEP.SecurityRootCause.MalwareActivity.ActiveMalwareMonitorType" Accessibility="Public">

  <MonitorTypeStates>

    <MonitorTypeState ID="NoMalware" NoDetection="false"/>

    <MonitorTypeState ID="ActiveMalware" NoDetection="false"/>

  </MonitorTypeStates>

  <Configuration>

    <xsd:element minOccurs="1" name="TimeoutSeconds" type="xsd:positiveInteger"/>

  </Configuration>

  <OverrideableParameters>

    <OverrideableParameter ID="TimeoutSeconds" Selector="$Config/TimeoutSeconds$" ParameterType="int"/>

  </OverrideableParameters>

  <MonitorImplementation>

    <MemberModules>

      <DataSource ID="EventsWithAdditionalInfoDataSource" TypeID="Microsoft.FEP.SecurityRootCause.MalwareActivity.MalwareActivityEventsWithAdditionalInfoDSType"/>

      <DataSource ID="EventsWithoutAdditionalInfoDataSource" TypeID="Microsoft.FEP.SecurityRootCause.MalwareActivity.MalwareActivityEventsWithoutAdditionalInfoDSType"/>

      <ProbeAction ID="WmiProbeWithAdditionalInfo" TypeID="Microsoft.FEP.SecurityRootCause.MalwareActivity.GetInfectionStatusWmiProbeType">

        <IsInfoIncluded>true</IsInfoIncluded>

        <ThreatSeverity>$Data/Params/Param[10]$</ThreatSeverity>

        <ThreatCategory>$Data/Params/Param[12]$</ThreatCategory>

        <ThreatFWLink>$Data/Params/Param[13]$</ThreatFWLink>

        <ThreatPath>$Data/Params/Param[22]$</ThreatPath>

        <ThreatAdditionalActions>$Data/Params/Param[38]$</ThreatAdditionalActions>

        <TimeoutSeconds>$Config/TimeoutSeconds$</TimeoutSeconds>

      </ProbeAction>

      <ProbeAction ID="WmiProbeWithoutAdditionalInfo" TypeID="Microsoft.FEP.SecurityRootCause.MalwareActivity.GetInfectionStatusWmiProbeType">

        <IsInfoIncluded>false</IsInfoIncluded>

        <ThreatSeverity>Unknown</ThreatSeverity>

        <ThreatCategory>Unknown</ThreatCategory>

        <ThreatFWLink>Unknown</ThreatFWLink>

        <ThreatPath>Unknown</ThreatPath>

        <ThreatAdditionalActions>Unknown</ThreatAdditionalActions>

        <TimeoutSeconds>$Config/TimeoutSeconds$</TimeoutSeconds>

      </ProbeAction>

      <ConditionDetection ID="FilterNoMalware" TypeID="System!System.ExpressionFilter">

        <Expression>

          <Or>

            <Expression>

              <SimpleExpression>

                <ValueExpression>

                  <XPathQuery Type="String">Property[@Name='ComputerStatus']</XPathQuery>

                </ValueExpression>

                <Operator>Equal</Operator>

                <ValueExpression>

                  <Value Type="String">1</Value>

                </ValueExpression>

              </SimpleExpression>

            </Expression>

            <Expression>

              <SimpleExpression>

                <ValueExpression>

                  <XPathQuery Type="String">Property[@Name='ComputerStatus']</XPathQuery>

                </ValueExpression>

                <Operator>Equal</Operator>

                <ValueExpression>

                  <Value Type="String">2</Value>

                </ValueExpression>

              </SimpleExpression>

            </Expression>

            <Expression>

              <SimpleExpression>

                <ValueExpression>

                  <XPathQuery Type="String">Property[@Name='ComputerStatus']</XPathQuery>

                </ValueExpression>

                <Operator>Equal</Operator>

                <ValueExpression>

                  <Value Type="String">3</Value>

                </ValueExpression>

              </SimpleExpression>

            </Expression>

          </Or>

        </Expression>

      </ConditionDetection>

      <ConditionDetection ID="FilterActiveMalware" TypeID="System!System.ExpressionFilter">

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery Type="String">Property[@Name='ComputerStatus']</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value Type="String">4</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

      </ConditionDetection>

    </MemberModules>

    <RegularDetections>

      <RegularDetection MonitorTypeStateID="NoMalware">

        <Node ID="FilterNoMalware">

          <Node ID="WmiProbeWithoutAdditionalInfo">

            <Node ID="EventsWithoutAdditionalInfoDataSource"/>

          </Node>

        </Node>

      </RegularDetection>

      <RegularDetection MonitorTypeStateID="ActiveMalware">

        <Node ID="FilterActiveMalware">

          <Node ID="WmiProbeWithAdditionalInfo">

            <Node ID="EventsWithAdditionalInfoDataSource"/>

          </Node>

        </Node>

      </RegularDetection>

    </RegularDetections>

    <OnDemandDetections>

      <OnDemandDetection MonitorTypeStateID="NoMalware">

        <Node ID="FilterNoMalware">

          <Node ID="WmiProbeWithoutAdditionalInfo"/>

        </Node>

      </OnDemandDetection>

      <OnDemandDetection MonitorTypeStateID="ActiveMalware">

        <Node ID="FilterActiveMalware">

          <Node ID="WmiProbeWithoutAdditionalInfo"/>

        </Node>

      </OnDemandDetection>

    </OnDemandDetections>

  </MonitorImplementation>

</UnitMonitorType>