deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-29 13:47:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #322 from mattiasborg82/patch-1

Browse Source 
Update use-windows-event-forwarding-to-assist-in-instrusion-detection.md
This commit is contained in:
Brian Lich 2017-11-09 08:31:18 -08:00 committed by GitHub
commit 215e070fc7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection.md
View File

@ -606,9 +606,9 @@ Here are the minimum steps for WEF to operate:
<Query Id="7" Path="Microsoft-Windows-DNS-Client/Operational"> <Query Id="7" Path="Microsoft-Windows-DNS-Client/Operational">
<!-- DNS Client events Query Completed (3008) --> <!-- DNS Client events Query Completed (3008) -->
<Select Path="Microsoft-Windows-DNS-Client/Operational">*[System[(EventID=3008)]]</Select> <Select Path="Microsoft-Windows-DNS-Client/Operational">*[System[(EventID=3008)]]</Select>
<!—suppresses local machine name resolution events--> <!-- suppresses local machine name resolution events -->
<Suppress Path="Microsoft-Windows-DNS-Client/Operational">*[EventData[Data[@Name="QueryOptions"]="140737488355328"]]</Suppress> <Suppress Path="Microsoft-Windows-DNS-Client/Operational">*[EventData[Data[@Name="QueryOptions"]="140737488355328"]]</Suppress>
<!—suppresses empty name resolution events --> <!-- suppresses empty name resolution events -->
<Suppress Path="Microsoft-Windows-DNS-Client/Operational">*[EventData[Data[@Name="QueryResults"]=""]]</Suppress> <Suppress Path="Microsoft-Windows-DNS-Client/Operational">*[EventData[Data[@Name="QueryResults"]=""]]</Suppress>
</Query> </Query>
<Query Id="8" Path="Security"> <Query Id="8" Path="Security">
@ -636,7 +636,7 @@ Here are the minimum steps for WEF to operate:
<Select Path="Microsoft-Windows-DriverFrameworks-UserMode/Operational">*[System[(EventID=2004)]]</Select> <Select Path="Microsoft-Windows-DriverFrameworks-UserMode/Operational">*[System[(EventID=2004)]]</Select>
</Query> </Query>
<Query Id="14" Path=" Windows PowerShell"> <Query Id="14" Path=" Windows PowerShell">
<!—Legacy PowerShell pipeline execution details (800) --> <!-- Legacy PowerShell pipeline execution details (800) -->
<Select Path=" Windows PowerShell">*[System[(EventID=800)]]</Select> <Select Path=" Windows PowerShell">*[System[(EventID=800)]]</Select>
</Query> </Query>
</QueryList> </QueryList>
@ -650,4 +650,4 @@ You can get more info with the following links:
- [Event Query Schema](http://msdn.microsoft.com/library/aa385760.aspx) - [Event Query Schema](http://msdn.microsoft.com/library/aa385760.aspx)
- [Windows Event Collector](http://msdn.microsoft.com/library/windows/desktop/bb427443.aspx) - [Windows Event Collector](http://msdn.microsoft.com/library/windows/desktop/bb427443.aspx)
Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=use-windows-event-forwarding-to-assist-in-instrusion-detection.md). Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=use-windows-event-forwarding-to-assist-in-instrusion-detection.md).