Obs/bin/GMA/Monitoring/Agent/initconfig/2.0/Standard/AzSecMdsNetIsoScanOffline-Content.xml
<?xml version="1.0" encoding="utf-8"?>
<MonitoringManagement version="1.0" timestamp="2022-09-09T18:03:54.8774890Z"> <!-- Autogenerated version comment - DO NOT REMOVE: AzSecPackShipVersion=4.22.0.2 --> <Events> <FileMonitors storeType="CentralBond"> <FileWatchItem eventName="AsmNetIsoFM" container="azsecnetisofm" account="AzSecurityStore" compressionType="gzip" directoryQuotaInMB="100" lastChangeOffsetInSeconds="10" retentionInDays="4" removeEmptyDirectories="true"> <Directory><![CDATA[Concat("", GetEnvironmentVariable("LOCALAPPDATA"), "\SHANetIso")]]></Directory> </FileWatchItem> </FileMonitors> <DerivedEvents> <!-- network isolation scanner --> <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmNetIsoInv" account="AzSecurityStore" priority="Normal" deadline="PT15M" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") where EventProvider = "NetIsoScanner" let SchemaVersion = UserField1, Session = UserField2, Count = UserField3, Item = UserField4, Metadata = UserField5 select ReportingIdentity, AssetIdentity, NodeIdentity, NodeType, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, SchemaVersion, Session, Count, Item, Metadata ]]></Query> </DerivedEvent> </DerivedEvents> </Events> </MonitoringManagement> |