Obs/bin/GMA/Monitoring/Agent/initconfig/2.0/Standard/AzSecMdsAsmScanOffline-Content.xml
|
<?xml version="1.0" encoding="utf-8"?>
<MonitoringManagement version="1.0" timestamp="2023-06-08T00:58:42.4731192Z"> <!-- Autogenerated version comment - DO NOT REMOVE: AzSecPackShipVersion=4.27.0.4 --> <Events> <EtwProviders> <EtwProvider guid="9a65c11b-e330-4ecd-a666-3c3d2c320622" format="Manifest" storeType="Local" manifest="extensions\AzureSecurityPack\SecurityScanLoggerUnifiedManifest.man" duration="PT1M"> <AdditionalHeaderFields> <Field>EventId</Field> <Field>Level</Field> <Field>Pid</Field> <Field>Tid</Field> <Field>ProviderGuid</Field> <Field>ProviderName</Field> <Field>EventMessage</Field> <Field>ActivityId</Field> <Field>TaskName</Field> <Field>KeywordName</Field> <Field>OpcodeName</Field> <Field>ChannelName</Field> <Field>EventVersion</Field> </AdditionalHeaderFields> <DefaultEvent eventName="AsmScannerDefaultEvents" /> <!-- Diagnostics Logs --> <Event id="100" eventName="AsmDiagnostics" /> <!-- LogScanEvent() --> <Event id="101" eventName="AsmScannerData" /> <!-- LogInventoryEvent() --> <Event id="102" eventName="AsmInventoryData" /> <!-- AlertData() --> <Event id="103" eventName="AsmAlertsData" /> <!-- HeartBeatData() --> <Event id="120" eventName="AsmHeartbeatData" /> <Event id="121" eventName="AsmHeartbeatHealthData" /> <!-- AsmNet events --> <Event id="1020" eventName="AsmNetOutboundSnapshotData" /> <Event id="1025" eventName="AsmNetInboundSnapshotData" /> <Event id="1100" eventName="AsmNetDnsResolutionData" /> </EtwProvider> </EtwProviders> <!-- Diagnostic Tool File Monitor. When the diagnostics tool is run it places all the diagnostic data under c:\DiagnosticsZipDir\*.zip, this file Monitor will upload data to the corresponding storage account as soon as it detects any activity under this dir. --> <FileMonitors storeType="CentralBond"> <FileWatchItem eventName="AsmSpFMEvent" account="AzSecurityStore" container="azsecasmfmevent" directoryQuotaInMB="100" lastChangeOffsetInSeconds="10" removeEmptyDirectories="false"> <Directory><![CDATA[Concat("", GetStaticEnvironmentVariable("SystemDrive"), "\DiagnosticsZipDir")]]></Directory> </FileWatchItem> </FileMonitors> <WindowsEventLogSubscriptions> <Subscription eventName="WatchDogErrorEventLocal" query="Application!*[System[Provider[@Name='AzureSecurityPack'] and (EventID=3001)]]" storeType="Local"> <Column name="EventProvider"> <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="EventType"> <Value>/Event/System/EventID</Value> </Column> <Column name="TimeCreated"> <Value>/Event/System/TimeCreated/@SystemTime</Value> </Column> <Column name="EventPayload" defaultAssignment=""> <Value>/Event/EventData/*</Value> </Column> </Subscription> </WindowsEventLogSubscriptions> <DerivedEvents> <DerivedEvent source="AsmScannerData" duration="PT15M" eventName="AsmSpInvRes3" account="AzSecurityStore" priority="Normal" retryTimeout="PT5M" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ where (EventProvider = "HNSContainerTelemetryScanner") let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <DerivedEvent source="AsmScannerData" duration="PT5M" eventName="AsmSysCmd" account="AzSecurityStore" priority="Normal" retryTimeout="PT5M" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ where (EventProvider = "EventDrivenScanner") && (EventType = "4103" || EventType = "4104" || EventType = "4688Scanner") let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") let EventProv = (EventType == "4688Scanner") ? "Microsoft-Windows-Security-Auditing":"Microsoft-Windows-PowerShell" let TimeCreated=UserField1 let NewEventType = (EventType == "4688Scanner") ? "4688": EventType select ReportingIdentity, AssetIdentity, EventProv as EventProvider,NewEventType as EventType, EventPayload, CRPVMId, ServiceId, SubscriptionId, ComputerName, TimeCreated ]]></Query> </DerivedEvent> <DerivedEvent source="AsmScannerData" duration="PT5M" eventName="AsmSysCmdAgg" account="AzSecurityStore" priority="Normal" retryTimeout="PT5M" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ where (EventProvider = "EventDrivenScanner") && (EventType == "4688Agg") let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") let EventProv="Microsoft-Windows-Security-Auditing" let NumberOfOccurrences=ToInt32(UserField1) let TimeCreated=UserField2 let LatestTimeStamp=UserField3 let NewEventType=4688 select ReportingIdentity, AssetIdentity, EventProv as EventProvider, NewEventType as EventType, EventPayload, CRPVMId, ServiceId, SubscriptionId, ComputerName, NumberOfOccurrences, LatestTimeStamp, TimeCreated ]]></Query> </DerivedEvent> <DerivedEvent source="AsmDiagnostics" duration="PT15M" eventName="AsmSpDiag" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ where (EventType = "Error" || EventType = "Warning" || EventType = "Startup" || EventType = "Shutdown") and (EventProvider != "PILauncher" and EventProvider != "NetIsoScanner" and EventProvider != "OffNodeVulnScan") let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <!-- Alerting feed. All scanners using LogAlertingEvent will have those records processed on a one minute cycles. This is expected to be low volume output from the scanners. --> <DerivedEvent source="AsmAlertsData" duration="PT1M" eventName="AsmSpAlert" account="AzSecurityStore" priority="Normal" retryTimeout="PT10080M" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ where (EventProvider != "PILauncher" and EventProvider != "NetIsoScanner" and EventProvider != "OffNodeVulnScan") && (EventType != "CIExeViolation" and EventType != "AlExeViolation" and EventType != "CIALScrViolation") let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <!-- Reporting feeds --> <!-- Baseline settings --> <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpCfgBase" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ where EventProvider = "BaselineScanner" let OsVersion = UserField1 let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, OsVersion, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <!-- Installed products, features, patches, and OS version inventory --> <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpPatch" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ where (EventProvider = "SoftwareInventoryScanner") && (EventType = "Patch") let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpInvPrdt" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ where (EventProvider = "SoftwareInventoryScanner") && (EventType = "Product" || EventType = "Feature" || EventType = "Version" ) let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <!-- NetworkShares inventory --> <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpInvCfg" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ where (EventProvider = "SoftwareInventoryScanner") && (EventType = "NetworkShare" || EventType = "NamedPipe" || EventType = "AutoRuns" || EventType = "NTPStatus") let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <!-- Certificates inventory --> <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpInvCert" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ where (EventProvider = "SoftwareInventoryScanner") && (EventType = "Certificate") let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <!-- Certificates Exported Public Key inventory --> <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpInvKey" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ where(EventProvider = "SoftwareInventoryScanner") && (EventType = "ExportedCertPubKeys") let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <!-- HeavyTalker inventory --> <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpInvNet" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ where (EventProvider = "KernelScanner") && (EventType = "HeavyTalker") let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <!-- RpcEndpoint inventory --> <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpInvRPC" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ where (EventProvider = "SoftwareInventoryScanner") && (EventType = "RpcEndpoint") let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <!-- Drivers inventory --> <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpInvDrv" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ where (EventProvider = "SoftwareInventoryScanner") && (EventType = "Drivers") let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <!-- Win32 services inventory --> <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpInvSrvc" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ where (EventProvider = "SoftwareInventoryScanner") && (EventType = "Services") let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <!-- Registry inventory --> <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpRegistry" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local"> <Query><![CDATA[ where (EventProvider = "SoftwareInventoryScanner") && (EventType = "WindowsAdvancedThreatProtection" || EventType = "AsepRegistry" || EventType = "AntiVirusRegistry" || EventType = "WUSettingRegistry" || EventType = "AntiMalwareRegistry" || EventType = "MSRCRegistry" || EventType = "DSMSRegistry" || EventType = "DSMSRCVRegistry" || EventType = "AZWatsonRegistry") let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <!-- Local user inventory --> <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpInvUG" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ where (EventProvider = "UserGroupScanner") && (EventType = "UsersInventory" || EventType = "GroupsInventory") let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <!-- Container inventory --> <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpInvRes1" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ where (EventProvider = "SoftwareInventoryScanner" || EventProvider = "ContainerInventoryScanner") && (EventType = "DockerVersion" || EventType = "DockerImages" || EventType = "DockerContainers" || EventType = "DockerVolumes" || EventType = "DockerContainerDetails" || EventType = "DockerContainerProcessDetails" || EventType = "VersionReport" || EventType = "ImageReport" || EventType = "ContainerReport" || EventType = "ContainerInventory") let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <!-- SQL VA inventory --> <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpInvRes2" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ where EventProvider = "SqlVaScanner" let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <!-- Heartbeat feed. --> <DerivedEvent source="AsmHeartbeatData" duration="PT15M" eventName="AsmSpVer" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, NodeIdentity, NodeType, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <DerivedEvent source="AsmHeartbeatHealthData" duration="PT15M" eventName="AsmSpVer" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, NodeIdentity, NodeType, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <DerivedEvent source="AsmNetOutboundSnapshotData" duration="PT5M" eventName="AsmNwOBSnapshot" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, RemoteAddress, RemotePort, Protocol, ProcessId, ConnectEventCount, DisconnectEventCount, FirstSeenUTC, ProcessImagePath, EventVersion, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <DerivedEvent source="AsmNetInboundSnapshotData" duration="PT5M" eventName="AsmNwIBSnapshot" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, RemoteAddress, LocalAddress, LocalPort, Protocol, ProcessId, AcceptEventCount, DisconnectEventCount, FirstSeenUTC, ProcessImagePath, EventVersion, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <DerivedEvent source="AsmNetDnsResolutionData" duration="PT5M" eventName="AsmNwDnsRes" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, DomainName, ResolutionStatus, QueryType, QueryResults, ProcessId, ProcessImagePath, EventVersion, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> <DerivedEvent source="AsmScannerData" duration="PT5M" eventName="AsmSysChg" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local"> <Query><![CDATA[ where (EventProvider = "EventDrivenScanner") && (EventType = "16" || EventType = "17") let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity = GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") let TimeCreated=UserField1 let EventProv="Microsoft-Windows-Crypto-NCrypt" Select ReportingIdentity, AssetIdentity, CRPVMId, ServiceId, SubscriptionId, ComputerName, EventProv as EventProvider, EventType, EventPayload, TimeCreated ]]></Query> </DerivedEvent> <DerivedEvent source="WatchDogErrorEventLocal" duration="PT5M" eventName="AsmSpDiag" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local"> <Query><![CDATA[ let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId") let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID") let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId") let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") select ReportingIdentity, AssetIdentity, EventProvider, EventType, TimeCreated, EventPayload, CRPVMId, ServiceId, SubscriptionId, ComputerName ]]></Query> </DerivedEvent> </DerivedEvents> <Extensions> <Extension extensionName="AzureSecurityPack"> <CommandLine>SecurityScanMgr.exe -aspconfig:AzureSecurityPackConfiguration.xml -config:AsmScannerConfiguration.xml</CommandLine> <!-- <AlternativeExtensionLocation></AlternativeExtensionLocation> --> <!-- <Body></Body> --> <ResourceUsage cpuPercentUsage="5" cpuThrottling="Hard" memoryLimitInMB="128" /> </Extension> </Extensions> </Events> </MonitoringManagement> |