Obs/bin/GMA/Monitoring/Agent/initconfig/2.0/Standard/ReservedEventsTeam3Offline-Content.xml

<?xml version="1.0" encoding="utf-8"?>
<MonitoringManagement version="1.0" timestamp="2022-09-09T18:03:54.8774890Z">
  <!-- Autogenerated version comment - DO NOT REMOVE: AzSecPackShipVersion=4.22.0.2 -->
  <Events>
    <EtwProviders>
      <!-- ACMS events added 09/20/2019
            All those events are emitted from the client agent of dSMS service, ACMS.
            The information in those events will be used by dSMS teams and customers for:
                1) Monitor the state of ACMS (started, stopped)
                2) Monitor the state of delivered secrets (latest version installed on box)
                3) Investigate any ACMS client issues (critial/error messages)
             
            The frequency for most events should be greater than 24 hours, since the ACMS polls dSMS to check for any updates in every 24-36 hours by default.
             
            The size of each event data should be less than 1k. Most of them contains informational string message only.
        -->
      <EtwProvider guid="71E8EB64-FA6A-45F0-9162-9194C04C6D17" format="Manifest" storeType="Local" manifest="Extensions\AzureSecurityPack\CredentialsManagementEtw.man" duration="PT5M">
        <Event id="1" eventName="CredsMgmtCriticalMessage" />
        <Event id="6" eventName="CredsMgmtCredentialsManagerStarted" />
        <Event id="7" eventName="CredsMgmtCredentialsManagerStopped" />
        <Event id="8" eventName="CredsMgmtPeriodicPollingStarted" />
        <Event id="9" eventName="CredsMgmtPeriodicPollingCompleted" />
        <Event id="10" eventName="CredsMgmtPeriodicPollingFailed" />
        <Event id="11" eventName="CredsMgmtCertificateInstalled" />
        <Event id="12" eventName="CredsMgmtCertificateUpdated" />
        <Event id="13" eventName="CredsMgmtCertificateLinked" />
        <Event id="14" eventName="CredsMgmtCertificateDeleted" />
        <Event id="15" eventName="CredsMgmtExistingManagedCertificate" />
        <Event id="16" eventName="CredsMgmtUpdatedSecureBlob" />
        <Event id="17" eventName="CredsMgmtCaCertificateInstalled" />
        <Event id="25" eventName="CredsMgmtNewSignalReceived" />
        <Event id="26" eventName="CredsMgmtNewSignalActionTaken" />
      </EtwProvider>
    </EtwProviders>
    <!--
      WindowsEventLogSubscriptions documentation: https://jarvis.dc.ad.msft.net/?page=documents&section=9c95f4eb-8689-4c9f-81bf-82d688e860fd&id=4da06081-ef7e-4c76-9475-497738167549
    -->
    <WindowsEventLogSubscriptions>
      <Subscription eventName="ACMSEventLocal" query="Microsoft-Windows Azure-Security-Credentials Management/Operational!*[System[(EventID=1) or (EventID=6) or (EventID=7) or (EventID=8) or (EventID=9) or (EventID=10) or (EventID=11) or (EventID=12) or (EventID=13) or (EventID=14) or (EventID=15)or (EventID=16) or (EventID=17) or (EventID=18) or (EventID=19) or (EventID=20)or (EventID=23) or (EventID=24) or (EventID=25) or (EventID=26)]]" storeType="Local">
        <Column name="EventProvider">
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="EventType">
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="TimeCreated">
          <Value>/Event/System/TimeCreated/@SystemTime</Value>
        </Column>
        <Column name="EventPayload" defaultAssignment="">
          <Value>/Event/EventData/Data</Value>
        </Column>
      </Subscription>
      <Subscription eventName="ACMSEventLocal" query="Microsoft-Windows Azure-Security-Credentials Management/Admin!*[System[(EventID=1) or (EventID=6) or (EventID=7) or (EventID=8) or (EventID=9) or (EventID=10) or (EventID=11) or (EventID=12) or (EventID=13) or (EventID=14) or (EventID=15)or (EventID=16) or (EventID=17) or (EventID=18) or (EventID=19) or (EventID=20)or (EventID=23) or (EventID=24) or (EventID=25) or (EventID=26)]]" storeType="Local">
        <Column name="EventProvider">
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="EventType">
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="TimeCreated">
          <Value>/Event/System/TimeCreated/@SystemTime</Value>
        </Column>
        <Column name="EventPayload" defaultAssignment="">
          <Value>/Event/EventData/Data</Value>
        </Column>
      </Subscription>
    </WindowsEventLogSubscriptions>
    <!-- Derived Events to tag the ACMS events with Azure Identity -->
    <DerivedEvents>
      <!-- Documentation for event fields can be found here:
            https://jarvis-west.dc.ad.msft.net/?page=documents&section=9c95f4eb-8689-4c9f-81bf-82d688e860fd&id=ac0084ad-5065-4b16-8f7d-0a5193143378#/
        -->
      <DerivedEvent source="ACMSEventLocal" eventName="AsmSec3Data" storeType="CentralBond" priority="High" duration="PT1M" retryTimeout="PT10080M" account="AzSecurityStore" retentionInDays="180">
        <Query><![CDATA[
            let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY")
            let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY")
            let NodeIdentity=""
            let NodeType=""
            select
              ReportingIdentity, AssetIdentity, NodeIdentity, NodeType,
              EventProvider, EventType, TimeCreated, EventPayload
          ]]></Query>
      </DerivedEvent>
    </DerivedEvents>
  </Events>
</MonitoringManagement>