-
Notifications
You must be signed in to change notification settings - Fork 32
/
Copy pathAccountLockouts.xml
32 lines (32 loc) · 1.59 KB
/
AccountLockouts.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
<?xml version="1.0" encoding="UTF-8"?>
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
<SubscriptionId>AccountLockouts</SubscriptionId>
<SubscriptionType>SourceInitiated</SubscriptionType>
<Description>AccountLockouts</Description>
<Enabled>true</Enabled>
<Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
<ConfigurationMode>Custom</ConfigurationMode>
<Delivery Mode="Push">
<Batching>
<MaxLatencyTime>1000</MaxLatencyTime>
</Batching>
<PushSettings>
<Heartbeat Interval="60000"/>
</PushSettings>
</Delivery>
<Query>
<![CDATA[
<QueryList><Query Id="0"><Select Path="Security">*[System[(EventID=4740)]]</Select></Query></QueryList>
]]>
</Query>
<ReadExistingEvents>true</ReadExistingEvents>
<TransportName>HTTP</TransportName>
<ContentFormat>RenderedText</ContentFormat>
<Locale Language="en-US"/>
<LogFile>ForwardedEvents</LogFile>
<PublisherName>Microsoft-Windows-EventCollector</PublisherName>
<AllowedSourceNonDomainComputers><AllowedIssuerCAList></AllowedIssuerCAList></AllowedSourceNonDomainComputers>
<!-- if you have multiple domains, you will need to get the identifiers of all the domains connecting to your Event Collector and put them below. the easiest way is just to make a new subscription from the GUI and export it, then cut and paste that field in.
The SDDL below is just the well known identifiers for "Domain Users" and "Domain Computers" -->
<AllowedSourceDomainComputers>O:NSG:BAD:P(A;;GA;;;DC)(A;;GA;;;DD)S:</AllowedSourceDomainComputers>
</Subscription>