SecurityMonitoringMP.DCServiceCreation.DS (DataSourceModuleType)

Element properties:

Show References:
- Rules (1)
Type	DataSourceModuleType
Isolation	Any
Accessibility	Public
RunAs	Default
OutputType	Microsoft.Windows.EventData
Member Modules:

ID	Module Type	TypeId	RunAs
Event	DataSource	Microsoft.Windows.EventProvider	Default
Overrideable Parameters:

ID	ParameterType	Selector
App1	string	$Config/App1$
App2	string	$Config/App2$
App3	string	$Config/App3$
App4	string	$Config/App4$
App5	string	$Config/App5$
Source Code:

<DataSourceModuleType ID="SecurityMonitoringMP.DCServiceCreation.DS" Accessibility="Public" Batching="false">

  <Configuration>

    <xsd:element xmlns:xsd="http://www.w3.org/2001/XMLSchema" minOccurs="0" name="App1" type="xsd:string"/>

    <xsd:element xmlns:xsd="http://www.w3.org/2001/XMLSchema" minOccurs="0" name="App2" type="xsd:string"/>

    <xsd:element xmlns:xsd="http://www.w3.org/2001/XMLSchema" minOccurs="0" name="App3" type="xsd:string"/>

    <xsd:element xmlns:xsd="http://www.w3.org/2001/XMLSchema" minOccurs="0" name="App4" type="xsd:string"/>

    <xsd:element xmlns:xsd="http://www.w3.org/2001/XMLSchema" minOccurs="0" name="App5" type="xsd:string"/>

  </Configuration>

  <OverrideableParameters>

    <OverrideableParameter ID="App1" Selector="$Config/App1$" ParameterType="string"/>

    <OverrideableParameter ID="App2" Selector="$Config/App2$" ParameterType="string"/>

    <OverrideableParameter ID="App3" Selector="$Config/App3$" ParameterType="string"/>

    <OverrideableParameter ID="App4" Selector="$Config/App4$" ParameterType="string"/>

    <OverrideableParameter ID="App5" Selector="$Config/App5$" ParameterType="string"/>

  </OverrideableParameters>

  <ModuleImplementation Isolation="Any">

    <Composite>

      <MemberModules>

        <DataSource ID="Event" TypeID="Windows!Microsoft.Windows.EventProvider">

          <ComputerName>$Target/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

          <LogName>System</LogName>

          <Expression>

            <And>

              <Expression>

                <SimpleExpression>

                  <ValueExpression>

                    <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

                  </ValueExpression>

                  <Operator>Equal</Operator>

                  <ValueExpression>

                    <Value Type="UnsignedInteger">7045</Value>

                  </ValueExpression>

                </SimpleExpression>

              </Expression>

              <Expression>

                <RegExExpression>

                  <ValueExpression>

                    <XPathQuery Type="String">Params/Param[2]</XPathQuery>

                  </ValueExpression>

                  <Operator>DoesNotContainSubstring</Operator>

                  <Pattern>MMAExtensionHeartbeatService.exe</Pattern>

                </RegExExpression>

              </Expression>

              <Expression>

                <RegExExpression>

                  <ValueExpression>

                    <XPathQuery Type="String">Params/Param[2]</XPathQuery>

                  </ValueExpression>

                  <Operator>DoesNotContainSubstring</Operator>

                  <Pattern>ProgramData\Microsoft\Windows Defender\Definition Updates</Pattern>

                </RegExExpression>

              </Expression>

              <Expression>

                <RegExExpression>

                  <ValueExpression>

                    <XPathQuery Type="String">Params/Param[2]</XPathQuery>

                  </ValueExpression>

                  <Operator>DoesNotContainSubstring</Operator>

                  <Pattern>ProgramData\Microsoft\Microsoft Antimalware\Definition</Pattern>

                </RegExExpression>

              </Expression>

              <Expression>

                <RegExExpression>

                  <ValueExpression>

                    <XPathQuery Type="String">Params/Param[2]</XPathQuery>

                  </ValueExpression>

                  <Operator>DoesNotContainSubstring</Operator>

                  <Pattern>$Config/App1$</Pattern>

                </RegExExpression>

              </Expression>

              <Expression>

                <RegExExpression>

                  <ValueExpression>

                    <XPathQuery Type="String">Params/Param[2]</XPathQuery>

                  </ValueExpression>

                  <Operator>DoesNotContainSubstring</Operator>

                  <Pattern>$Config/App2$</Pattern>

                </RegExExpression>

              </Expression>

              <Expression>

                <RegExExpression>

                  <ValueExpression>

                    <XPathQuery Type="String">Params/Param[2]</XPathQuery>

                  </ValueExpression>

                  <Operator>DoesNotContainSubstring</Operator>

                  <Pattern>$Config/App3$</Pattern>

                </RegExExpression>

              </Expression>

              <Expression>

                <RegExExpression>

                  <ValueExpression>

                    <XPathQuery Type="String">Params/Param[2]</XPathQuery>

                  </ValueExpression>

                  <Operator>DoesNotContainSubstring</Operator>

                  <Pattern>$Config/App4$</Pattern>

                </RegExExpression>

              </Expression>

              <Expression>

                <RegExExpression>

                  <ValueExpression>

                    <XPathQuery Type="String">Params/Param[2]</XPathQuery>

                  </ValueExpression>

                  <Operator>DoesNotContainSubstring</Operator>

                  <Pattern>$Config/App5$</Pattern>

                </RegExExpression>

              </Expression>

              <Expression>

                <RegExExpression>

                  <ValueExpression>

                    <XPathQuery Type="String">Params/Param[2]</XPathQuery>

                  </ValueExpression>

                  <Operator>DoesNotContainSubstring</Operator>

                  <Pattern>WindowsAzureNetAgent.exe</Pattern>

                </RegExExpression>

              </Expression>

            </And>

          </Expression>

        </DataSource>

      </MemberModules>

      <Composition>

        <Node ID="Event"/>

      </Composition>

    </Composite>

  </ModuleImplementation>

  <OutputType>Windows!Microsoft.Windows.EventData</OutputType>

</DataSourceModuleType>