AzStackHciStandaloneObservability/package/bin/GMA/Monitoring/Agent/initconfig/2.0/Standard/AsmAuditMdsEventsOffline.xml
<?xml version="1.0" encoding="utf-8"?>
<MonitoringManagement version="1.0" timestamp="2022-09-09T18:03:54.8774890Z"> <!-- Autogenerated version comment - DO NOT REMOVE: AzSecPackShipVersion=4.22.0.2 --> <Events> <WindowsEventLogSubscriptions> <Subscription eventName="AsmAuditDataPlaneLocal" query="Security!*[System[Provider[@Name='WindowsAzureAsmAuditDataPlane']]]" storeType="Local"> <Column name="env_ver" defaultAssignment=""> <Value>/Event/EventData/Data[2]</Value> </Column> <Column name="env_name" defaultAssignment=""> <Value>/Event/EventData/Data[3]</Value> </Column> <Column name="env_time" defaultAssignment=""> <Value>/Event/EventData/Data[4]</Value> </Column> <Column name="env_ikey" defaultAssignment=""> <Value>/Event/EventData/Data[5]</Value> </Column> <Column name="env_dt_traceid" defaultAssignment=""> <Value>/Event/EventData/Data[6]</Value> </Column> <Column name="env_dt_spanid" defaultAssignment=""> <Value>/Event/EventData/Data[7]</Value> </Column> <Column name="CustomData" defaultAssignment=""> <Value>/Event/EventData/Data[8]</Value> </Column> <Column name="OperationName" defaultAssignment=""> <Value>/Event/EventData/Data[9]</Value> </Column> <Column name="OperationCategories" defaultAssignment=""> <Value>/Event/EventData/Data[10]</Value> </Column> <Column name="OperationCategoryDescription" defaultAssignment=""> <Value>/Event/EventData/Data[11]</Value> </Column> <Column name="OperationResult" defaultAssignment=""> <Value>/Event/EventData/Data[12]</Value> </Column> <Column name="OperationResultDescription" defaultAssignment=""> <Value>/Event/EventData/Data[13]</Value> </Column> <Column name="OperationAccessLevel" defaultAssignment=""> <Value>/Event/EventData/Data[14]</Value> </Column> <Column name="CallerIdentities" defaultAssignment=""> <Value>/Event/EventData/Data[15]</Value> </Column> <Column name="CallerIpAddress" defaultAssignment=""> <Value>/Event/EventData/Data[16]</Value> </Column> <Column name="CallerAccessLevels" defaultAssignment=""> <Value>/Event/EventData/Data[17]</Value> </Column> <Column name="CallerAgent" defaultAssignment=""> <Value>/Event/EventData/Data[18]</Value> </Column> <Column name="TargetResources" defaultAssignment=""> <Value>/Event/EventData/Data[19]</Value> </Column> <Column name="OperationType" defaultAssignment=""> <Value>/Event/EventData/Data[20]</Value> </Column> </Subscription> <Subscription eventName="AsmAuditControlPlaneLocal" query="Security!*[System[Provider[@Name='WindowsAzureAsmAuditControlPlane']]]" storeType="Local"> <Column name="env_ver" defaultAssignment=""> <Value>/Event/EventData/Data[2]</Value> </Column> <Column name="env_name" defaultAssignment=""> <Value>/Event/EventData/Data[3]</Value> </Column> <Column name="env_time" defaultAssignment=""> <Value>/Event/EventData/Data[4]</Value> </Column> <Column name="env_ikey" defaultAssignment=""> <Value>/Event/EventData/Data[5]</Value> </Column> <Column name="env_dt_traceid" defaultAssignment=""> <Value>/Event/EventData/Data[6]</Value> </Column> <Column name="env_dt_spanid" defaultAssignment=""> <Value>/Event/EventData/Data[7]</Value> </Column> <Column name="CustomData" defaultAssignment=""> <Value>/Event/EventData/Data[8]</Value> </Column> <Column name="OperationName" defaultAssignment=""> <Value>/Event/EventData/Data[9]</Value> </Column> <Column name="OperationCategories" defaultAssignment=""> <Value>/Event/EventData/Data[10]</Value> </Column> <Column name="OperationCategoryDescription" defaultAssignment=""> <Value>/Event/EventData/Data[11]</Value> </Column> <Column name="OperationResult" defaultAssignment=""> <Value>/Event/EventData/Data[12]</Value> </Column> <Column name="OperationResultDescription" defaultAssignment=""> <Value>/Event/EventData/Data[13]</Value> </Column> <Column name="OperationAccessLevel" defaultAssignment=""> <Value>/Event/EventData/Data[14]</Value> </Column> <Column name="CallerIdentities" defaultAssignment=""> <Value>/Event/EventData/Data[15]</Value> </Column> <Column name="CallerIpAddress" defaultAssignment=""> <Value>/Event/EventData/Data[16]</Value> </Column> <Column name="CallerAccessLevels" defaultAssignment=""> <Value>/Event/EventData/Data[17]</Value> </Column> <Column name="CallerAgent" defaultAssignment=""> <Value>/Event/EventData/Data[18]</Value> </Column> <Column name="TargetResources" defaultAssignment=""> <Value>/Event/EventData/Data[19]</Value> </Column> <Column name="OperationType" defaultAssignment=""> <Value>/Event/EventData/Data[20]</Value> </Column> </Subscription> </WindowsEventLogSubscriptions> <DerivedEvents> <DerivedEvent source="AsmAuditDataPlaneLocal" eventName="AsmAuditDP" storeType="CentralBond" priority="High" duration="PT1M" retryTimeout="PT10080M" account="AuditStore" retentionInDays="180"> <Query><![CDATA[ let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") select ReportingIdentity, AssetIdentity, env_ver, env_name, env_time, env_ikey, env_dt_traceid, env_dt_spanid, OperationName, OperationType, OperationCategories, OperationCategoryDescription, OperationResult, OperationResultDescription, OperationAccessLevel, CallerIdentities, CallerIpAddress, CallerAccessLevels, CallerAgent, TargetResources, CustomData ]]></Query> </DerivedEvent> <DerivedEvent source="AsmAuditControlPlaneLocal" eventName="AsmAuditCP" storeType="CentralBond" priority="High" duration="PT1M" retryTimeout="PT10080M" account="AuditStore" retentionInDays="180"> <Query><![CDATA[ let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") select ReportingIdentity, AssetIdentity, env_ver, env_name, env_time, env_ikey, env_dt_traceid, env_dt_spanid, OperationName, OperationType, OperationCategories, OperationCategoryDescription, OperationResult, OperationResultDescription, OperationAccessLevel, CallerIdentities, CallerIpAddress, CallerAccessLevels, CallerAgent, TargetResources, CustomData ]]></Query> </DerivedEvent> </DerivedEvents> </Events> </MonitoringManagement> |