Skip to content

Commit 24b137d

Browse files
SteveL-MSFTSteveL-MSFT
authored
Merge pull request #93 from PaulHigin/add-wdac-audit
Add WDAC Audit event to manifest
2 parents 4edf312 + a6696e9 commit 24b137d

File tree

1 file changed

+69
-19
lines changed

1 file changed

+69
-19
lines changed

Diff for: src/PowerShell.Core.Instrumentation/PowerShell.Core.Instrumentation.man

+69-19
Original file line numberDiff line numberDiff line change
@@ -2208,6 +2208,18 @@
22082208
value="0x4002"
22092209
version="1"
22102210
/>
2211+
<event
2212+
channel="C_OPERATIONAL"
2213+
keywords="WDACAudit"
2214+
level="win:Verbose"
2215+
message = "$(string.PS_PROVIDER.event.E_A_WDACAudit.message)"
2216+
opcode="Method"
2217+
symbol="WDACAudit"
2218+
task="WDACAudit"
2219+
template="T_WDACAudit"
2220+
value="0x4003"
2221+
version="1"
2222+
/>
22112223
</events>
22122224
<channels>
22132225
<!--There are two channels defined for Windows PowerShell instrumentation
@@ -2432,17 +2444,23 @@
24322444
value="120"
24332445
/>
24342446
<task
2435-
message="$(string.PS_PROVIDER.task.T_AmsiState.message)"
2436-
name="Amsi"
2437-
symbol="T_Amsi"
2438-
value="130"
2439-
/>
2447+
message="$(string.PS_PROVIDER.task.T_AmsiState.message)"
2448+
name="Amsi"
2449+
symbol="T_Amsi"
2450+
value="130"
2451+
/>
24402452
<task
24412453
message="$(string.PS_PROVIDER.task.T_WDACQuery.message)"
24422454
name="WDAC"
24432455
symbol="T_WDAC"
24442456
value="131"
24452457
/>
2458+
<task
2459+
message="$(string.PS_PROVIDER.task.T_WDACAudit.message)"
2460+
name="WDACAudit"
2461+
symbol="T_WDACAudit"
2462+
value="132"
2463+
/>
24462464
</tasks>
24472465
<opcodes>
24482466
<opcode
@@ -2604,17 +2622,23 @@
26042622
symbol="K_PSWORKFLOW"
26052623
/>
26062624
<keyword
2607-
mask="0x400"
2608-
message="$(string.PS_PROVIDER.keyword.K_AmsiState.message)"
2609-
name="AmsiState"
2610-
symbol="K_AmsiState"
2611-
/>
2625+
mask="0x400"
2626+
message="$(string.PS_PROVIDER.keyword.K_AmsiState.message)"
2627+
name="AmsiState"
2628+
symbol="K_AmsiState"
2629+
/>
26122630
<keyword
26132631
mask="0x800"
26142632
message="$(string.PS_PROVIDER.keyword.K_WDACQuery.message)"
26152633
name="WDACQuery"
26162634
symbol="K_WDACQuery"
26172635
/>
2636+
<keyword
2637+
mask="0x1000"
2638+
message="$(string.PS_PROVIDER.keyword.K_WDACAudit.message)"
2639+
name="WDACAudit"
2640+
symbol="K_WDACAudit"
2641+
/>
26182642
</keywords>
26192643
<maps>
26202644
<!-- please keep in sync with SerializationMethod from
@@ -4073,14 +4097,14 @@
40734097
/>
40744098
</template>
40754099
<template tid="T_AmsiState">
4076-
<data
4077-
inType="win:UnicodeString"
4078-
name="Action"
4079-
/>
4080-
<data
4081-
inType="win:UnicodeString"
4082-
name="AmsiContext"
4083-
/>
4100+
<data
4101+
inType="win:UnicodeString"
4102+
name="Action"
4103+
/>
4104+
<data
4105+
inType="win:UnicodeString"
4106+
name="AmsiContext"
4107+
/>
40844108
</template>
40854109
<template tid="T_WDACQuery">
40864110
<data
@@ -4099,7 +4123,21 @@
40994123
inType="win:Int32"
41004124
name="QuerySResult"
41014125
/>
4102-
</template>
4126+
</template>
4127+
<template tid="T_WDACAudit">
4128+
<data
4129+
inType="win:UnicodeString"
4130+
name="Title"
4131+
/>
4132+
<data
4133+
inType="win:UnicodeString"
4134+
name="Message"
4135+
/>
4136+
<data
4137+
inType="win:UnicodeString"
4138+
name="FullyQualifiedId"
4139+
/>
4140+
</template>
41034141
</templates>
41044142
</provider>
41054143
</events>
@@ -5729,6 +5767,18 @@
57295767
id="PS_PROVIDER.task.T_WDACQuery.message"
57305768
value="WDAC Query"
57315769
/>
5770+
<string
5771+
id="PS_PROVIDER.event.E_A_WDACAudit.message"
5772+
value="WDAC Audit. %n %t Title: %1 %n %t Message: %2 %n %t FullyQualifiedId: %3"
5773+
/>
5774+
<string
5775+
id="PS_PROVIDER.keyword.K_WDACAudit.message"
5776+
value="WDAC Audit"
5777+
/>
5778+
<string
5779+
id="PS_PROVIDER.task.T_WDACAudit.message"
5780+
value="WDAC Audit"
5781+
/>
57325782
</stringTable>
57335783
</resources>
57345784
</localization>

0 commit comments

Comments
 (0)