AzStackHciStandaloneObservability/package/bin/GMA/Monitoring/Agent/initconfig/2.0/Standard/AzSecMdsWDATPOffline-Content.xml
<?xml version="1.0" encoding="utf-8"?>
<MonitoringManagement version="1.0" timestamp="2022-09-09T18:03:54.8774890Z"> <!-- Autogenerated version comment - DO NOT REMOVE: AzSecPackShipVersion=4.22.0.2 --> <Events> <EtwProviders> <!-- MsSense scanner provider --> <EtwProvider guid="cb2ff72d-d4e4-585d-33f9-f3a395c40be7" format="EventSource" storeType="Local"> <DefaultEvent eventName="AsmMsSenseLocal" /> </EtwProvider> <!-- MsSense Diagnostics Provider --> <EtwProvider guid="65a1b6fc-4c24-59c9-e3f3-ad11ac510b41" format="EventSource" storeType="Local"> <DefaultEvent eventName="AsmMsSDiagLocal" /> </EtwProvider> </EtwProviders> <DerivedEvents> <DerivedEvent source="AsmMsSDiagLocal" eventName="AsmMsSDiag" storeType="CentralBond" priority="Low" duration="PT5M" retryTimeout="PT10080M" account="AzSecurityStore" retentionInDays="30"> <Query><![CDATA[ where (TaskName="LruCacheCounter" || TaskName="EventTracker" || TaskName="BackgroundActionStats" || TaskName="FirstSeenModuleLoadCount" || TaskName="BucketCappingFilterCounter" || TaskName="reportCounter" || TaskName="EtwSessionCounter" || TaskName="LogServiceStartedEvent" || TaskName="InitializeComponentsActivity" || TaskName="StartComponentsActivity" || TaskName="MachineInfoActivity" || TaskName="ConfigurationApplyActivity" || TaskName="StartServiceActivity" || TaskName="ServiceStartAfterCrashEvent" || TaskName="LogServiceStartedEvent" || TaskName="MachineInfoFailedToRetrieve" || TaskName="DnsCacheStats" || TaskName="FirstSeenCount") let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, ProviderName, ProviderGuid, EventId, TaskName, Message, EventMessage, Level, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <DerivedEvent source="AsmMsSenseLocal" eventName="AsmMsSense" storeType="CentralBond" priority="Low" duration="PT1M" retryTimeout="PT10080M" account="AzSecurityStore" retentionInDays="30"> <Query><![CDATA[ let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") ]]></Query> </DerivedEvent> </DerivedEvents> </Events> </MonitoringManagement> |