Massive clean-up of all the existing WEC subscription samples

 - Made all the XPath queries much more readable via an improved layout
 - Fixed bug in XPath queries for Wi-Fi connection security & auth status
 - Fix formatting inconsistencies (tabs to spaces, indentation, etc...)
 - Added missing XML declaration
 - Added missing PublisherName XML element

Subscriptions/Account Lockout Alerts.xml

@@ -1,13 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
 <Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
-    <SubscriptionId>AccountLocked</SubscriptionId>
+    <SubscriptionId>Account Lockout Alerts</SubscriptionId>
     <SubscriptionType>SourceInitiated</SubscriptionType>
-    <Description>User Account Locked Out. Targets: Vista+</Description>
+    <Description>Events indicating a user account was locked</Description>
     <Enabled>true</Enabled>
     <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
 
-    <!-- Use Normal (default), Custom, MinLatency, MinBandwidth -->
     <ConfigurationMode>Custom</ConfigurationMode>
-
     <Delivery Mode="Push">
         <Batching>
             <MaxItems>1</MaxItems>
@@ -20,25 +19,27 @@
 
     <Query>
         <![CDATA[
-
 <QueryList>
   <Query Id="0" Path="Security">
-	<!-- For Domain Accounts, event is created on DC-->
-	<!-- For Local Accounts, event is created locally-->
-	<!-- Account Lockouts -->
-    <Select Path="Security">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (Level=4 or Level=0) and EventID=4740]]</Select>
+    <!-- Account Lockouts -->
+    <!-- For Local Accounts, the event is created locally -->
+    <!-- For Domain Accounts, the event is created on the authenticating DC -->
+    <Select Path="Security">
+      *[System[Provider[@Name='Microsoft-Windows-Security-Auditing']
+        and (Level=4 or Level=0)
+        and EventID=4740]]
+    </Select>
   </Query>
 </QueryList>
-
-
         ]]>
     </Query>
 
     <ReadExistingEvents>true</ReadExistingEvents>
-    <TransportName>http</TransportName>
+    <TransportName>HTTP</TransportName>
     <ContentFormat>RenderedText</ContentFormat>
     <Locale Language="en-US"/>
     <LogFile>ForwardedEvents</LogFile>
+    <PublisherName>Microsoft-Windows-EventCollector</PublisherName>
     <AllowedSourceNonDomainComputers></AllowedSourceNonDomainComputers>
     <AllowedSourceDomainComputers></AllowedSourceDomainComputers>
 </Subscription>

Subscriptions/Account Logon Activity.xml

@@ -1,13 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
 <Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
-    <SubscriptionId>AccountLogons</SubscriptionId>
+    <SubscriptionId>Account Logon Activity</SubscriptionId>
     <SubscriptionType>SourceInitiated</SubscriptionType>
-    <Description>Captures Non-Kerberos Success and Failed Logons</Description>
+    <Description>Events for non-Kerberos account logon activity</Description>
     <Enabled>true</Enabled>
     <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
 
-    <!-- Use Normal (default), Custom, MinLatency, MinBandwidth -->
     <ConfigurationMode>Custom</ConfigurationMode>
-
     <Delivery Mode="Push">
         <Batching>
             <MaxItems>1</MaxItems>
@@ -20,93 +19,89 @@
 
     <Query>
         <![CDATA[
-
 <QueryList>
   <Query Id="0" Path="Security">
-	<!-- Account Logon Activities -->
+    <!-- Account logon audits -->
     <Select Path="Security">
-          *[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (Level=4 or Level=0) and (EventID=4624 or EventID=4625)]]
-          and
-         *[EventData[Data[@Name='AuthenticationPackageName'] != 'Kerberos']]
-          and
-          *[EventData[Data[@Name='TargetUserName'] != 'ANONYMOUS LOGON']]
+      *[System[Provider[@Name='Microsoft-Windows-Security-Auditing']
+        and (Level=4 or Level=0)
+        and (EventID=4624 or EventID=4625)]]
+      and
+      *[EventData[Data[@Name='AuthenticationPackageName']!='Kerberos']]
+      and
+      *[EventData[Data[@Name='TargetUserName']!='ANONYMOUS LOGON']]
     </Select>
-	
-	<!-- Pass the Hash Success Detection -->
-	<Select Path="Security">
-		*[System[Provider[@Name='Microsoft-Windows-Security-Auditing']
-			and (Level=4 or Level=0) and EventID=4624]]
-		and
-		*[EventData[Data[@Name='LogonType']='3']]
-		and
-		*[EventData[Data[@Name='AuthenticationPackageName']='NTLM']]
-		and
-		*[EventData[Data[@Name='TargetUserName']!='ANONYMOUS LOGON']]
-		and
-		*[EventData[Data[@Name='TargetDomainName']!='TEST']]
-	</Select>
 
-	<!-- Pass the Hash Failed Detection -->
-	<Select Path="Security">
-		*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] 
-			and (Level=4 or Level=0) and EventID=4625]]
-		and
-		*[EventData[Data[@Name='LogonType']='3']]
-		and
-		*[EventData[Data[@Name='AuthenticationPackageName']='NTLM']]
-		and
-		*[EventData[Data[@Name='TargetUserName']!='ANONYMOUS LOGON']]
-		and
-		*[EventData[Data[@Name='TargetDomainName']!='TEST']]
-	</Select>
-	
-	<!-- Collects Logon and Logoffs of RDP -->
-	<!-- Remote Desktop Protocol Connections -->
-	<Select Path="Security">
-	*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] 
-		and (Level=4 or Level=0) and (EventID=4624 or EventID=4634)]]
-	and
-	*[EventData[Data[@Name='LogonType']='10']]
-	and
-	(
-		*[EventData[Data[5]='10']]
-		or
-		*[EventData[Data[@Name='AuthenticationPackageName']='Negotiate']]
-	)
-	</Select>
+    <!-- Pass the Hash Detection: Success -->
+    <Select Path="Security">
+      *[System[Provider[@Name='Microsoft-Windows-Security-Auditing']
+        and (Level=4 or Level=0)
+        and EventID=4624]]
+      and
+      *[EventData[Data[@Name='LogonType']='3']]
+      and
+      *[EventData[Data[@Name='AuthenticationPackageName']='NTLM']]
+      and
+      *[EventData[Data[@Name='TargetUserName']!='ANONYMOUS LOGON']]
+      and
+      *[EventData[Data[@Name='TargetDomainName']!='DOMAIN_NAME_HERE']]
+    </Select>
 
-	<!-- Removes all service (success/failed) logons from being captured -->
-	<!-- LogonType 5 and 0 are respectively used for services and system logons. 
-	See: http://blogs.msdn.com/b/ericfitz/archive/2008/02/26/you-learn-something-new-every-day-logon-type-0.aspx 
-	-->
-<Suppress Path="Security">
-	*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] 
-		and (Level=4 or Level=0) and (EventID=4624 or EventID=4625 or EventID=4634)]]
-	and
-		*[EventData[
-		(
-			(Data[@Name='LogonType']='5' or Data[@Name='LogonType']='0') 
-			or
-			Data[@Name='TargetUserName']='ANONYMOUS LOGON'
-			or
-			Data[@Name='TargetUserSID']='S-1-5-18'
-		)
-]]
+    <!-- Pass the Hash Detection: Failure -->
+    <Select Path="Security">
+      *[System[Provider[@Name='Microsoft-Windows-Security-Auditing']
+        and (Level=4 or Level=0)
+        and EventID=4625]]
+      and
+      *[EventData[Data[@Name='LogonType']='3']]
+      and
+      *[EventData[Data[@Name='AuthenticationPackageName']='NTLM']]
+      and
+      *[EventData[Data[@Name='TargetUserName']!='ANONYMOUS LOGON']]
+      and
+      *[EventData[Data[@Name='TargetDomainName']!='DOMAIN_NAME_HERE']]
+    </Select>
 
-	</Suppress>
-	
+    <!-- RDP logon audits -->
+    <Select Path="Security">
+      *[System[Provider[@Name='Microsoft-Windows-Security-Auditing']
+        and (Level=4 or Level=0)
+        and (EventID=4624 or EventID=4634)]]
+      and
+      *[EventData[Data[@Name='LogonType']='10']]
+      and (
+        *[EventData[Data[5]='10']]
+        or
+        *[EventData[Data[@Name='AuthenticationPackageName']='Negotiate']])
+    </Select>
+
+    <!-- Stops all service logons (success & failure) from being captured -->
+    <!-- LogonType 5 and 0 are used for service and system logons respectively -->
+    <Suppress Path="Security">
+      *[System[Provider[@Name='Microsoft-Windows-Security-Auditing']
+        and (Level=4 or Level=0)
+        and (EventID=4624 or EventID=4625 or EventID=4634)]]
+      and
+      *[EventData[((
+          Data[@Name='LogonType']='5'
+          or
+          Data[@Name='LogonType']='0')
+        or
+        Data[@Name='TargetUserName']='ANONYMOUS LOGON'
+        or
+        Data[@Name='TargetUserSID']='S-1-5-18')]]
+    </Suppress>
   </Query>
 </QueryList>
-
-
         ]]>
     </Query>
 
     <ReadExistingEvents>true</ReadExistingEvents>
-    <TransportName>http</TransportName>
+    <TransportName>HTTP</TransportName>
     <ContentFormat>RenderedText</ContentFormat>
     <Locale Language="en-US"/>
     <LogFile>ForwardedEvents</LogFile>
+    <PublisherName>Microsoft-Windows-EventCollector</PublisherName>
     <AllowedSourceNonDomainComputers></AllowedSourceNonDomainComputers>
     <AllowedSourceDomainComputers></AllowedSourceDomainComputers>
 </Subscription>

Subscriptions/Application Blocks.xml

@@ -1,13 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
 <Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
-    <SubscriptionId>WhitelistingLogs</SubscriptionId>
+    <SubscriptionId>Application Blocks</SubscriptionId>
     <SubscriptionType>SourceInitiated</SubscriptionType>
-    <Description>AppLocker and SRP Logs. Targets: Windows XP+</Description>
+    <Description>Events for AppLocker &amp; SRP blocks</Description>
     <Enabled>true</Enabled>
     <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
 
-    <!-- Use Normal (default), Custom, MinLatency, MinBandwidth -->
     <ConfigurationMode>Custom</ConfigurationMode>
-
     <Delivery Mode="Push">
         <Batching>
             <MaxItems>1</MaxItems>
@@ -22,25 +21,30 @@
         <![CDATA[
 <QueryList>
   <Query Id="0" Path="Application">
-	<!-- AppLocker Blocks -->
-    <Select Path="Microsoft-Windows-AppLocker/EXE and DLL">*[System[Provider[@Name='Microsoft-Windows-AppLocker'] and (Level=2 or Level=3) and (EventID=8003 or EventID=8004)]]</Select>
+    <!-- AppLocker blocks -->
+    <Select Path="Microsoft-Windows-AppLocker/EXE and DLL">
+      *[System[Provider[@Name='Microsoft-Windows-AppLocker']
+        and (Level=2 or Level=3)
+        and (EventID=8003 or EventID=8004)]]
+    </Select>
 
-<!-- AppLocker Permitted Scripts -->    
-<Select Path="Microsoft-Windows-AppLocker/MSI and Script">*[System[Provider[@Name='Microsoft-Windows-AppLocker'] and (Level=2 or Level=3) and (EventID=8006 or EventID=8007)]]</Select>
-	
-<!-- Software Restriction Policy Blocks -->
-    <Select Path="Application">*[System[Provider[@Name='Microsoft-Windows-SoftwareRestrictionPolicies'] and Level=3 and (EventID=865 or EventID=866 or EventID=867 or EventID=868 or EventID=882)]]</Select>
+    <!-- SRP blocks -->
+    <Select Path="Application">
+      *[System[Provider[@Name='Microsoft-Windows-SoftwareRestrictionPolicies']
+        and Level=3
+        and (EventID=865 or EventID=866 or EventID=867 or EventID=868 or EventID=882)]]
+    </Select>
   </Query>
 </QueryList>
-
         ]]>
     </Query>
 
     <ReadExistingEvents>true</ReadExistingEvents>
-    <TransportName>http</TransportName>
+    <TransportName>HTTP</TransportName>
     <ContentFormat>RenderedText</ContentFormat>
     <Locale Language="en-US"/>
     <LogFile>ForwardedEvents</LogFile>
+    <PublisherName>Microsoft-Windows-EventCollector</PublisherName>
     <AllowedSourceNonDomainComputers></AllowedSourceNonDomainComputers>
     <AllowedSourceDomainComputers></AllowedSourceDomainComputers>
 </Subscription>

Subscriptions/Application Crashes.xml

@@ -1,13 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
 <Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
-    <SubscriptionId>AppCrash</SubscriptionId>
+    <SubscriptionId>Application Crashes</SubscriptionId>
     <SubscriptionType>SourceInitiated</SubscriptionType>
-    <Description>AppCrash and AppHang and WER Logs. Targets: Windows XP+</Description>
+    <Description>Events for application crashes, hangs &amp; WER reports</Description>
     <Enabled>true</Enabled>
     <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
 
-    <!-- Use Normal (default), Custom, MinLatency, MinBandwidth -->
     <ConfigurationMode>Custom</ConfigurationMode>
-
     <Delivery Mode="Push">
         <Batching>
             <MaxItems>1</MaxItems>
@@ -20,28 +19,39 @@
 
     <Query>
         <![CDATA[
-
 <QueryList>
   <Query Id="0" Path="Application">
-	<!-- Application Error -->
-    <Select Path="Application">*[System[Provider[@Name='Application Error'] and Level=2 and EventID=1000]]</Select>
-	<!-- Application Hang -->
-    <Select Path="Application">*[System[Provider[@Name='Application Hang'] and Level=2 and EventID=1002]]</Select>
-	<!-- WER Application Crashes Reports -->
-	<Select Path="Application">*[System[Provider[@Name='Windows Error Reporting'] and Level=4 and EventID=1001]]</Select>
+    <!-- Application crashes -->
+    <Select Path="Application">
+      *[System[Provider[@Name='Application Error']
+        and Level=2
+        and EventID=1000]]
+    </Select>
+
+    <!-- Application hangs -->
+    <Select Path="Application">
+      *[System[Provider[@Name='Application Hang']
+        and Level=2
+        and EventID=1002]]
+    </Select>
+
+    <!-- WER reports -->
+    <Select Path="Application">
+      *[System[Provider[@Name='Windows Error Reporting']
+        and Level=4
+        and EventID=1001]]
+    </Select>
   </Query>
-
 </QueryList>
-
-
         ]]>
     </Query>
 
     <ReadExistingEvents>true</ReadExistingEvents>
-    <TransportName>http</TransportName>
+    <TransportName>HTTP</TransportName>
     <ContentFormat>RenderedText</ContentFormat>
     <Locale Language="en-US"/>
     <LogFile>ForwardedEvents</LogFile>
+    <PublisherName>Microsoft-Windows-EventCollector</PublisherName>
     <AllowedSourceNonDomainComputers></AllowedSourceNonDomainComputers>
     <AllowedSourceDomainComputers></AllowedSourceDomainComputers>
 </Subscription>