Intel AMT Features > Access Monitor > Use Cases > Enable and Disable Auditing of Events
CollapseAll image

Enable and Disable Auditing of Events

The following steps describe how to enable and disable auditing of events.

1.  Retrieve the instance of AMT_AuditPolicyRule, where the “PolicyRuleName” key equals “Audit Policy Rule”.

2.  Perform one of the following:

   Invoke AMT_AuditPolicyRule.SetAuditPolicy to enable or disable auditing for a single event.

Click here for a snippet demonstrating this step

You can execute this snippet by inserting it into the execution template found here.

  

$auditPolicyRuleRef =$wsmanConnectionObject.NewReference("SELECT * FROM AMT_AuditPolicyRule WHERE PolicyRuleName='Audit Policy Rule'")

$inputObject =$auditPolicyRuleRef.CreateMethodInput("SetAuditPolicy")

$inputObject.SetProperty("Enable","true")

$inputObject.SetProperty("AuditedAppID","16") # '16' = Security Admin Events

$inputObject.SetProperty("EventID","0") # '0' = Intel AMT Setup and Configuration Started

$inputObject.SetProperty("PolicyType","0")

$outputObject =$auditPolicyRuleRef.InvokeMethod($inputObject)

$returnValue =$outputObject.GetProperty("ReturnValue")

 

 

   Invoke AMT_AuditPolicyRule.SetAuditPolicyBulk to enable or disable auditing for multiple events (Available starting in Release 7.0).

Click here for a snippet demonstrating this step

You can execute this snippet by inserting it into the execution template found here.

  

$auditPolicyRuleRef =$wsmanConnectionObject.NewReference("SELECT * FROM AMT_AuditPolicyRule WHERE PolicyRuleName='Audit Policy Rule'")

$enable = @("false","true")

$auditedAppID = @("17","29") # '17' = Remote Control Events. '29' = Redirection Manager Events.

$eventID = @("0","1") # '0' = Performed Power-Up. '1' = IDE-R Session Closed

$policyType = @("0","1")

$inputObject =$auditPolicyRuleRef.CreateMethodInput("SetAuditPolicyBulk")

$inputObject.SetProperty("Enable",$enable.SyncRoot)

$inputObject.SetProperty("AuditedAppID",$auditedAppID.SyncRoot)

$inputObject.SetProperty("EventID",$eventID.SyncRoot)

$inputObject.SetProperty("PolicyType",$policyType.SyncRoot)

$outputObject =$auditPolicyRuleRef.InvokeMethod($inputObject)

$returnValue =$outputObject.GetProperty("ReturnValue")

 

 

 

 Note:

The ID of an event is a combination of the Event Group (Application ID) and the Event ID.

 

Instance Diagram

Classes Used in This Flow

SDK Sample

Located at:<SDK_root>\Windows\Intel_AMT\Samples\WS-Management\AccessMonitor\C++
(the sample does not demonstrate the SetAuditPolicyBulk method).

 

See Also:

   Event Groups and Event IDs

   View the Audit Policy Details

Copyright © 2006-2022, Intel Corporation. All rights reserved.