Home
  •  

SecurityMonitoringMP.CommandLineAuditSetting (UnitMonitorType)

Element properties:

RunAsDefault
AccessibilityInternal
Support Monitor RecalculateFalse

Member Modules:

ID Module Type TypeId RunAs 
RegDS DataSource Microsoft.Windows.RegistryProvider Default
CDBad ConditionDetection System.ExpressionFilter Default
CDGood ConditionDetection System.ExpressionFilter Default

Source Code:

<UnitMonitorType ID="SecurityMonitoringMP.CommandLineAuditSetting" Accessibility="Internal">

  <MonitorTypeStates>

    <MonitorTypeState ID="RegValueBad" NoDetection="false"/>

    <MonitorTypeState ID="RegValueGood" NoDetection="false"/>

  </MonitorTypeStates>

  <Configuration>

    <xsd:element xmlns:xsd="http://www.w3.org/2001/XMLSchema" minOccurs="1" name="ComputerName" type="xsd:string"/>

  </Configuration>

  <MonitorImplementation>

    <MemberModules>

      <DataSource ID="RegDS" TypeID="Windows!Microsoft.Windows.RegistryProvider">

        <ComputerName>$Config/ComputerName$</ComputerName>

        <RegistryAttributeDefinitions>

          <RegistryAttributeDefinition>

            <AttributeName>ProcessCreationIncludeCmdLine_Enabled</AttributeName>

            <Path>SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\Audit\ProcessCreationIncludeCmdLine_Enabled</Path>

            <PathType>1</PathType>

            <AttributeType>2</AttributeType>

          </RegistryAttributeDefinition>

        </RegistryAttributeDefinitions>

        <Frequency>900</Frequency>

      </DataSource>

      <ConditionDetection ID="CDGood" TypeID="System!System.ExpressionFilter">

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery Type="UnsignedInteger">Values/ProcessCreationIncludeCmdLine_Enabled</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value Type="UnsignedInteger">1</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

      </ConditionDetection>

      <ConditionDetection ID="CDBad" TypeID="System!System.ExpressionFilter">

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery Type="UnsignedInteger">Values/ProcessCreationIncludeCmdLine_Enabled</XPathQuery>

            </ValueExpression>

            <Operator>NotEqual</Operator>

            <ValueExpression>

              <Value Type="UnsignedInteger">1</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

      </ConditionDetection>

    </MemberModules>

    <RegularDetections>

      <RegularDetection MonitorTypeStateID="RegValueBad">

        <Node ID="CDBad">

          <Node ID="RegDS"/>

        </Node>

      </RegularDetection>

      <RegularDetection MonitorTypeStateID="RegValueGood">

        <Node ID="CDGood">

          <Node ID="RegDS"/>

        </Node>

      </RegularDetection>

    </RegularDetections>

  </MonitorImplementation>

</UnitMonitorType>