AzStackHciStandaloneObservability/package/bin/GMA/Monitoring/Agent/initconfig/2.0/Standard/AzSecMdsAsmScanOffline-Content.xml
|
<?xml version="1.0" encoding="utf-8"?>
<MonitoringManagement version="1.0" timestamp="2022-09-09T18:03:54.8774890Z"> <!-- Autogenerated version comment - DO NOT REMOVE: AzSecPackShipVersion=4.22.0.2 --> <Events> <EtwProviders> <EtwProvider guid="9a65c11b-e330-4ecd-a666-3c3d2c320622" format="Manifest" storeType="Local" manifest="extensions\AzureSecurityPack\SecurityScanLoggerUnifiedManifest.man" duration="PT1M"> <DefaultEvent eventName="AsmScannerDefaultEvents" /> <!-- Diagnostics Logs --> <Event id="100" eventName="AsmDiagnostics" /> <!-- LogScanEvent() --> <Event id="101" eventName="AsmScannerData" /> <!-- LogInventoryEvent() --> <Event id="102" eventName="AsmInventoryData" /> <!-- AlertData() --> <Event id="103" eventName="AsmAlertsData" /> <!-- HeartBeatData() --> <Event id="120" eventName="AsmHeartbeatData" /> <Event id="121" eventName="AsmHeartbeatHealthData" /> </EtwProvider> </EtwProviders> <!-- Diagnostic Tool File Monitor. When the diagnostics tool is run it places all the diagnostic data under c:\DiagnosticsZipDir\*.zip, this file Monitor will upload data to the corresponding storage account as soon as it detects any activity under this dir. --> <FileMonitors storeType="CentralBond"> <FileWatchItem eventName="AsmSpFMEvent" account="AzSecurityStore" container="azsecasmfmevent" directoryQuotaInMB="100" lastChangeOffsetInSeconds="10" removeEmptyDirectories="false"> <Directory><![CDATA[Concat("", GetStaticEnvironmentVariable("SystemDrive"), "\DiagnosticsZipDir")]]></Directory> </FileWatchItem> </FileMonitors> <DerivedEvents> <DerivedEvent source="AsmScannerData" duration="PT15M" eventName="AsmSpInvRes3" account="AzSecurityStore" priority="Normal" retryTimeout="PT5M" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ where (EventProvider = "NetworkScanner") let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <DerivedEvent source="AsmDiagnostics" duration="PT15M" eventName="AsmSpDiag" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ where (EventType = "Error" || EventType = "Warning" || EventType = "Startup" || EventType = "Shutdown") and (EventProvider != "PILauncher" and EventProvider != "NetIsoScanner" and EventProvider != "OffNodeVulnScan") let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <!-- Alerting feed. All scanners using LogAlertingEvent will have those records processed on a one minute cycles. This is expected to be low volume output from the scanners. --> <DerivedEvent source="AsmAlertsData" duration="PT1M" eventName="AsmSpAlert" account="AzSecurityStore" priority="Normal" retryTimeout="PT10080M" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ where (EventProvider != "PILauncher" and EventProvider != "NetIsoScanner" and EventProvider != "OffNodeVulnScan") && (EventType != "CIExeViolation" and EventType != "AlExeViolation" and EventType != "CIALScrViolation") let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <!-- Reporting feeds --> <!-- Baseline settings --> <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpCfgBase" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ where EventProvider = "BaselineScanner" let OsVersion = UserField1 let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, OsVersion, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <!-- Installed products, features, patches, and OS version inventory --> <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpPatch" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ where (EventProvider = "SoftwareInventoryScanner") && (EventType = "Patch") let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpInvPrdt" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ where (EventProvider = "SoftwareInventoryScanner") && (EventType = "Product" || EventType = "Feature" || EventType = "Version" ) let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <!-- NetworkShares inventory --> <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpInvCfg" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ where (EventProvider = "SoftwareInventoryScanner") && (EventType = "NetworkShare" || EventType = "NamedPipe" || EventType = "AutoRuns" || EventType = "NTPStatus") let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <!-- Certificates inventory --> <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpInvCert" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ where (EventProvider = "SoftwareInventoryScanner") && (EventType = "Certificate") let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <!-- Certificates Exported Public Key inventory --> <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpInvKey" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ where(EventProvider = "SoftwareInventoryScanner") && (EventType = "ExportedCertPubKeys") let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <!-- HeavyTalker inventory --> <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpInvNet" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ where (EventProvider = "KernelScanner") && (EventType = "HeavyTalker") let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <!-- RpcEndpoint inventory --> <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpInvRPC" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ where (EventProvider = "SoftwareInventoryScanner") && (EventType = "RpcEndpoint") let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <!-- Drivers inventory --> <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpInvDrv" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ where (EventProvider = "SoftwareInventoryScanner") && (EventType = "Drivers") let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <!-- Win32 services inventory --> <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpInvSrvc" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ where (EventProvider = "SoftwareInventoryScanner") && (EventType = "Services") let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <!-- Registry inventory --> <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpRegistry" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local"> <Query><![CDATA[ where (EventProvider = "SoftwareInventoryScanner") && (EventType = "AsepRegistry" || EventType = "AntiVirusRegistry" || EventType = "WUSettingRegistry" || EventType = "AntiMalwareRegistry" || EventType = "MSRCRegistry" || EventType = "DSMSRegistry" || EventType = "DSMSRCVRegistry" || EventType = "AZWatsonRegistry") let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <!-- Local user inventory --> <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpInvUG" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ where (EventProvider = "UserGroupScanner") && (EventType = "UsersInventory" || EventType = "GroupsInventory") let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <!-- Container inventory --> <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpInvRes1" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ where (EventProvider = "SoftwareInventoryScanner" || EventProvider = "ContainerInventoryScanner") && (EventType = "DockerVersion" || EventType = "DockerImages" || EventType = "DockerContainers" || EventType = "DockerVolumes" || EventType = "DockerContainerDetails" || EventType = "DockerContainerProcessDetails" || EventType = "VersionReport" || EventType = "ImageReport" || EventType = "ContainerReport" || EventType = "ContainerInventory") let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <!-- SQL VA inventory --> <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpInvRes2" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ where EventProvider = "SqlVaScanner" let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <!-- Heartbeat feed. --> <DerivedEvent source="AsmHeartbeatData" duration="PT15M" eventName="AsmSpVer" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, NodeIdentity, NodeType, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <DerivedEvent source="AsmHeartbeatHealthData" duration="PT15M" eventName="AsmSpVer" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, NodeIdentity, NodeType, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <DerivedEvent source="AsmScannerData" duration="PT5M" eventName="AsmSysChg" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local"> <Query><![CDATA[ where (EventProvider != "NetworkScanner") && (EventProvider = "Microsoft-Windows-Crypto-NCrypt") && (EventType = "16" || EventType = "17") let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity = GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") Select ReportingIdentity, AssetIdentity, CRPVMId, ServiceId, SubscriptionId, ComputerName, EventProvider, EventType, EventPayload ]]></Query> </DerivedEvent> </DerivedEvents> <Extensions> <Extension extensionName="AzureSecurityPack"> <CommandLine>SecurityScanMgr.exe -aspconfig:AzureSecurityPackConfiguration.xml -config:AsmScannerConfiguration.xml</CommandLine> <!-- <AlternativeExtensionLocation></AlternativeExtensionLocation> --> <!-- <Body></Body> --> <ResourceUsage cpuPercentUsage="5" cpuThrottling="Hard" memoryLimitInMB="128" /> </Extension> </Extensions> </Events> </MonitoringManagement> |