fix: update event log configuration and refine xPathQueries for data collection rules

Kanchan-Microsoft · Kanchan-Microsoft · commit e13d1c5a86d1 · 2026-05-19T16:43:53.000+05:30
diff --git a/infra/main.bicep b/infra/main.bicep
@@ -435,17 +435,8 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-
             streams: [
               'Microsoft-Event'
             ]
-            eventLogName: 'Security'
-            eventTypes: [
-              {
-                eventType: 'Audit Success'
-              }
-              {
-                eventType: 'Audit Failure'
-              }
-            ]
             xPathQueries: [
-              'Security!*[System[(EventID=4624 or EventID=4625)]]'
+              'Security!*[System[(band(Keywords,13510798882111488)) and (EventID != 4624)]]'
             ]
           }
         ]
diff --git a/infra/main.json b/infra/main.json
@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.42.1.51946",
-      "templateHash": "11967716103255684929"
+      "templateHash": "12538110573757351724"
     },
     "name": "Content Processing Solution Accelerator",
     "description": "Bicep template to deploy the Content Processing Solution Accelerator with AVM compliance."
@@ -14609,17 +14609,8 @@
                     "streams": [
                       "Microsoft-Event"
                     ],
-                    "eventLogName": "Security",
-                    "eventTypes": [
-                      {
-                        "eventType": "Audit Success"
-                      },
-                      {
-                        "eventType": "Audit Failure"
-                      }
-                    ],
                     "xPathQueries": [
-                      "Security!*[System[(EventID=4624 or EventID=4625)]]"
+                      "Security!*[System[(band(Keywords,13510798882111488)) and (EventID != 4624)]]"
                     ]
                   }
                 ]
diff --git a/infra/main_custom.bicep b/infra/main_custom.bicep
@@ -438,17 +438,8 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-
             streams: [
               'Microsoft-Event'
             ]
-            eventLogName: 'Security'
-            eventTypes: [
-              {
-                eventType: 'Audit Success'
-              }
-              {
-                eventType: 'Audit Failure'
-              }
-            ]
             xPathQueries: [
-              'Security!*[System[(EventID=4624 or EventID=4625)]]'
+              'Security!*[System[(band(Keywords,13510798882111488)) and (EventID != 4624)]]'
             ]
           }
         ]

Original file line number	Diff line number	Diff line change
`@@ -435,17 +435,8 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-`
`435`	`435`	`streams: [`
`436`	`436`	`'Microsoft-Event'`
`437`	`437`	`]`
`438`		`- eventLogName: 'Security'`
`439`		`- eventTypes: [`
`440`		`- {`
`441`		`- eventType: 'Audit Success'`
`442`		`- }`
`443`		`- {`
`444`		`- eventType: 'Audit Failure'`
`445`		`- }`
`446`		`- ]`
`447`	`438`	`xPathQueries: [`
`448`		`- 'Security!*[System[(EventID=4624 or EventID=4625)]]'`
	`439`	`+ 'Security!*[System[(band(Keywords,13510798882111488)) and (EventID != 4624)]]'`
`449`	`440`	`]`
`450`	`441`	`}`
`451`	`442`	`]`
Original file line number	Diff line number	Diff line change
`@@ -438,17 +438,8 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-`
`438`	`438`	`streams: [`
`439`	`439`	`'Microsoft-Event'`
`440`	`440`	`]`
`441`		`- eventLogName: 'Security'`
`442`		`- eventTypes: [`
`443`		`- {`
`444`		`- eventType: 'Audit Success'`
`445`		`- }`
`446`		`- {`
`447`		`- eventType: 'Audit Failure'`
`448`		`- }`
`449`		`- ]`
`450`	`441`	`xPathQueries: [`
`451`		`- 'Security!*[System[(EventID=4624 or EventID=4625)]]'`
	`442`	`+ 'Security!*[System[(band(Keywords,13510798882111488)) and (EventID != 4624)]]'`
`452`	`443`	`]`
`453`	`444`	`}`
`454`	`445`	`]`