Obs/bin/GMA/Monitoring/Agent/initconfig/2.0/Standard/AzSecMdsAsmScanOffline-Content.xml

<?xml version="1.0" encoding="utf-8"?>
<MonitoringManagement version="1.0" timestamp="2023-06-08T00:58:42.4731192Z">
  <!-- Autogenerated version comment - DO NOT REMOVE: AzSecPackShipVersion=4.27.0.4 -->
  <Events>
    <EtwProviders>
      <EtwProvider guid="9a65c11b-e330-4ecd-a666-3c3d2c320622" format="Manifest" storeType="Local" manifest="extensions\AzureSecurityPack\SecurityScanLoggerUnifiedManifest.man" duration="PT1M">
        <AdditionalHeaderFields>
          <Field>EventId</Field>
          <Field>Level</Field>
          <Field>Pid</Field>
          <Field>Tid</Field>
          <Field>ProviderGuid</Field>
          <Field>ProviderName</Field>
          <Field>EventMessage</Field>
          <Field>ActivityId</Field>
          <Field>TaskName</Field>
          <Field>KeywordName</Field>
          <Field>OpcodeName</Field>
          <Field>ChannelName</Field>
          <Field>EventVersion</Field>
        </AdditionalHeaderFields>
        <DefaultEvent eventName="AsmScannerDefaultEvents" />
        <!-- Diagnostics Logs -->
        <Event id="100" eventName="AsmDiagnostics" />
        <!-- LogScanEvent() -->
        <Event id="101" eventName="AsmScannerData" />
        <!-- LogInventoryEvent() -->
        <Event id="102" eventName="AsmInventoryData" />
        <!-- AlertData() -->
        <Event id="103" eventName="AsmAlertsData" />
        <!-- HeartBeatData() -->
        <Event id="120" eventName="AsmHeartbeatData" />
        <Event id="121" eventName="AsmHeartbeatHealthData" />
        <!-- AsmNet events -->
        <Event id="1020" eventName="AsmNetOutboundSnapshotData" />
        <Event id="1025" eventName="AsmNetInboundSnapshotData" />
        <Event id="1100" eventName="AsmNetDnsResolutionData" />
      </EtwProvider>
    </EtwProviders>
    <!--
      Diagnostic Tool File Monitor.
       
      When the diagnostics tool is run it places all the diagnostic data
      under c:\DiagnosticsZipDir\*.zip, this file Monitor will upload
      data to the corresponding storage account as soon as it detects
      any activity under this dir.
            -->
    <FileMonitors storeType="CentralBond">
      <FileWatchItem eventName="AsmSpFMEvent" account="AzSecurityStore" container="azsecasmfmevent" directoryQuotaInMB="100" lastChangeOffsetInSeconds="10" removeEmptyDirectories="false">
        <Directory><![CDATA[Concat("", GetStaticEnvironmentVariable("SystemDrive"), "\DiagnosticsZipDir")]]></Directory>
      </FileWatchItem>
    </FileMonitors>
    <WindowsEventLogSubscriptions>
      <Subscription eventName="WatchDogErrorEventLocal" query="Application!*[System[Provider[@Name='AzureSecurityPack'] and (EventID=3001)]]" storeType="Local">
        <Column name="EventProvider">
          <Value>/Event/System/Provider/@Name</Value>
        </Column>
        <Column name="EventType">
          <Value>/Event/System/EventID</Value>
        </Column>
        <Column name="TimeCreated">
          <Value>/Event/System/TimeCreated/@SystemTime</Value>
        </Column>
        <Column name="EventPayload" defaultAssignment="">
          <Value>/Event/EventData/*</Value>
        </Column>
      </Subscription>
    </WindowsEventLogSubscriptions>
    <DerivedEvents>
      <DerivedEvent source="AsmScannerData" duration="PT15M" eventName="AsmSpInvRes3" account="AzSecurityStore" priority="Normal" retryTimeout="PT5M" storeType="CentralBond" whereToRun="Local" retentionInDays="30">
        <Query><![CDATA[
            where (EventProvider = "HNSContainerTelemetryScanner")
            let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY")
            let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY")
            let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId")
            let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID")
            let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId")
            let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN")
            select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, CRPVMId, ServiceId, SubscriptionId, ComputerName
                    ]]></Query>
      </DerivedEvent>
      <DerivedEvent source="AsmScannerData" duration="PT5M" eventName="AsmSysCmd" account="AzSecurityStore" priority="Normal" retryTimeout="PT5M" storeType="CentralBond" whereToRun="Local" retentionInDays="30">
        <Query><![CDATA[
            where (EventProvider = "EventDrivenScanner") && (EventType = "4103" || EventType = "4104" || EventType = "4688Scanner")
            let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY")
            let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY")
            let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId")
            let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID")
            let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId")
            let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN")
            let EventProv = (EventType == "4688Scanner") ? "Microsoft-Windows-Security-Auditing":"Microsoft-Windows-PowerShell"
            let TimeCreated=UserField1
            let NewEventType = (EventType == "4688Scanner") ? "4688": EventType
            select ReportingIdentity, AssetIdentity, EventProv as EventProvider,NewEventType as EventType, EventPayload, CRPVMId, ServiceId, SubscriptionId, ComputerName, TimeCreated
                      ]]></Query>
      </DerivedEvent>
      <DerivedEvent source="AsmScannerData" duration="PT5M" eventName="AsmSysCmdAgg" account="AzSecurityStore" priority="Normal" retryTimeout="PT5M" storeType="CentralBond" whereToRun="Local" retentionInDays="30">
        <Query><![CDATA[
            where (EventProvider = "EventDrivenScanner") && (EventType == "4688Agg")
            let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY")
            let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY")
            let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId")
            let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID")
            let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId")
            let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN")
            let EventProv="Microsoft-Windows-Security-Auditing"
            let NumberOfOccurrences=ToInt32(UserField1)
            let TimeCreated=UserField2
            let LatestTimeStamp=UserField3
            let NewEventType=4688
            select ReportingIdentity, AssetIdentity, EventProv as EventProvider, NewEventType as EventType, EventPayload, CRPVMId, ServiceId, SubscriptionId, ComputerName, NumberOfOccurrences, LatestTimeStamp, TimeCreated
                    ]]></Query>
      </DerivedEvent>
      <DerivedEvent source="AsmDiagnostics" duration="PT15M" eventName="AsmSpDiag" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30">
        <Query><![CDATA[
            where (EventType = "Error" || EventType = "Warning" || EventType = "Startup" || EventType = "Shutdown") and (EventProvider != "PILauncher" and EventProvider != "NetIsoScanner" and EventProvider != "OffNodeVulnScan")
            let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY")
            let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY")
            let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId")
            let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID")
            let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId")
            let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN")
            select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName
                    ]]></Query>
      </DerivedEvent>
      <!--
            Alerting feed.
             
            All scanners using LogAlertingEvent will have those records processed on a one
            minute cycles. This is expected to be low volume output from the scanners.
            -->
      <DerivedEvent source="AsmAlertsData" duration="PT1M" eventName="AsmSpAlert" account="AzSecurityStore" priority="Normal" retryTimeout="PT10080M" storeType="CentralBond" whereToRun="Local" retentionInDays="30">
        <Query><![CDATA[
            where (EventProvider != "PILauncher" and EventProvider != "NetIsoScanner" and EventProvider != "OffNodeVulnScan") && (EventType != "CIExeViolation" and EventType != "AlExeViolation" and EventType != "CIALScrViolation")
            let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY")
            let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY")
            let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId")
            let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID")
            let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId")
            let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN")
            select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName
                    ]]></Query>
      </DerivedEvent>
      <!-- Reporting feeds -->
      <!-- Baseline settings -->
      <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpCfgBase" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30">
        <Query><![CDATA[
            where EventProvider = "BaselineScanner"
            let OsVersion = UserField1
            let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY")
            let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY")
            let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId")
            let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID")
            let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId")
            let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN")
            select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, OsVersion, CRPVMId, ServiceId, SubscriptionId, ComputerName
                    ]]></Query>
      </DerivedEvent>
      <!-- Installed products, features, patches, and OS version inventory -->
      <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpPatch" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30">
        <Query><![CDATA[
            where (EventProvider = "SoftwareInventoryScanner") && (EventType = "Patch")
            let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY")
            let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY")
            let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId")
            let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID")
            let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId")
            let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN")
            select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName
                    ]]></Query>
      </DerivedEvent>
      <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpInvPrdt" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30">
        <Query><![CDATA[
            where (EventProvider = "SoftwareInventoryScanner") && (EventType = "Product" || EventType = "Feature" || EventType = "Version" )
            let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY")
            let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY")
            let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId")
            let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID")
            let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId")
            let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN")
            select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName
                    ]]></Query>
      </DerivedEvent>
      <!-- NetworkShares inventory -->
      <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpInvCfg" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30">
        <Query><![CDATA[
            where (EventProvider = "SoftwareInventoryScanner") && (EventType = "NetworkShare" || EventType = "NamedPipe" || EventType = "AutoRuns" || EventType = "NTPStatus")
            let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY")
            let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY")
            let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId")
            let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID")
            let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId")
            let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN")
            select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName
                    ]]></Query>
      </DerivedEvent>
      <!-- Certificates inventory -->
      <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpInvCert" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30">
        <Query><![CDATA[
            where (EventProvider = "SoftwareInventoryScanner") && (EventType = "Certificate")
            let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY")
            let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY")
            let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId")
            let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID")
            let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId")
            let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN")
            select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName
                    ]]></Query>
      </DerivedEvent>
      <!-- Certificates Exported Public Key inventory -->
      <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpInvKey" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30">
        <Query><![CDATA[
            where(EventProvider = "SoftwareInventoryScanner") && (EventType = "ExportedCertPubKeys")
            let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY")
            let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY")
            let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId")
            let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID")
            let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId")
            let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN")
            select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName
                    ]]></Query>
      </DerivedEvent>
      <!-- HeavyTalker inventory -->
      <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpInvNet" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30">
        <Query><![CDATA[
            where (EventProvider = "KernelScanner") && (EventType = "HeavyTalker")
            let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY")
            let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY")
            let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId")
            let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID")
            let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId")
            let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN")
            select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName
                    ]]></Query>
      </DerivedEvent>
      <!-- RpcEndpoint inventory -->
      <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpInvRPC" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30">
        <Query><![CDATA[
            where (EventProvider = "SoftwareInventoryScanner") && (EventType = "RpcEndpoint")
            let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY")
            let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY")
            let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId")
            let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID")
            let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId")
            let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN")
            select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName
                    ]]></Query>
      </DerivedEvent>
      <!-- Drivers inventory -->
      <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpInvDrv" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30">
        <Query><![CDATA[
            where (EventProvider = "SoftwareInventoryScanner") && (EventType = "Drivers")
            let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY")
            let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY")
            let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId")
            let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID")
            let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId")
            let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN")
            select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName
                    ]]></Query>
      </DerivedEvent>
      <!-- Win32 services inventory -->
      <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpInvSrvc" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30">
        <Query><![CDATA[
            where (EventProvider = "SoftwareInventoryScanner") && (EventType = "Services")
            let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY")
            let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY")
            let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId")
            let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID")
            let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId")
            let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN")
            select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName
                    ]]></Query>
      </DerivedEvent>
      <!-- Registry inventory -->
      <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpRegistry" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local">
        <Query><![CDATA[
            where (EventProvider = "SoftwareInventoryScanner") && (EventType = "WindowsAdvancedThreatProtection" || EventType = "AsepRegistry" || EventType = "AntiVirusRegistry" || EventType = "WUSettingRegistry" || EventType = "AntiMalwareRegistry" || EventType = "MSRCRegistry" || EventType = "DSMSRegistry" || EventType = "DSMSRCVRegistry" || EventType = "AZWatsonRegistry")
            let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY")
            let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY")
            let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId")
            let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID")
            let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId")
            let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN")
            select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName
                    ]]></Query>
      </DerivedEvent>
      <!-- Local user inventory -->
      <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpInvUG" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30">
        <Query><![CDATA[
            where (EventProvider = "UserGroupScanner") && (EventType = "UsersInventory" || EventType = "GroupsInventory")
            let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY")
            let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY")
            let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId")
            let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID")
            let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId")
            let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN")
            select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName
                    ]]></Query>
      </DerivedEvent>
      <!-- Container inventory -->
      <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpInvRes1" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30">
        <Query><![CDATA[
            where (EventProvider = "SoftwareInventoryScanner" || EventProvider = "ContainerInventoryScanner") && (EventType = "DockerVersion" || EventType = "DockerImages" || EventType = "DockerContainers" || EventType = "DockerVolumes" || EventType = "DockerContainerDetails" || EventType = "DockerContainerProcessDetails" || EventType = "VersionReport" || EventType = "ImageReport" || EventType = "ContainerReport" || EventType = "ContainerInventory")
            let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY")
            let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY")
            let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId")
            let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID")
            let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId")
            let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN")
            select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName
                    ]]></Query>
      </DerivedEvent>
      <!-- SQL VA inventory -->
      <DerivedEvent source="AsmInventoryData" duration="PT15M" eventName="AsmSpInvRes2" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30">
        <Query><![CDATA[
            where EventProvider = "SqlVaScanner"
            let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY")
            let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY")
            let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId")
            let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID")
            let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId")
            let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN")
            select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName
                    ]]></Query>
      </DerivedEvent>
      <!--
            Heartbeat feed.
            -->
      <DerivedEvent source="AsmHeartbeatData" duration="PT15M" eventName="AsmSpVer" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30">
        <Query><![CDATA[
            let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY")
            let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY")
            let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId")
            let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID")
            let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId")
            let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN")
            select ReportingIdentity, AssetIdentity, NodeIdentity, NodeType, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName
                    ]]></Query>
      </DerivedEvent>
      <DerivedEvent source="AsmHeartbeatHealthData" duration="PT15M" eventName="AsmSpVer" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30">
        <Query><![CDATA[
            let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY")
            let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY")
            let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId")
            let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID")
            let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId")
            let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN")
            select ReportingIdentity, AssetIdentity, NodeIdentity, NodeType, EventProvider, EventType, EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference, CRPVMId, ServiceId, SubscriptionId, ComputerName
                    ]]></Query>
      </DerivedEvent>
      <DerivedEvent source="AsmNetOutboundSnapshotData" duration="PT5M" eventName="AsmNwOBSnapshot" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30">
        <Query><![CDATA[
            let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY")
            let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY")
            let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId")
            let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID")
            let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId")
            let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN")
            select ReportingIdentity, AssetIdentity, RemoteAddress, RemotePort, Protocol, ProcessId, ConnectEventCount, DisconnectEventCount, FirstSeenUTC, ProcessImagePath, EventVersion, CRPVMId, ServiceId, SubscriptionId, ComputerName
                    ]]></Query>
      </DerivedEvent>
      <DerivedEvent source="AsmNetInboundSnapshotData" duration="PT5M" eventName="AsmNwIBSnapshot" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30">
        <Query><![CDATA[
            let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY")
            let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY")
            let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId")
            let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID")
            let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId")
            let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN")
            select ReportingIdentity, AssetIdentity, RemoteAddress, LocalAddress, LocalPort, Protocol, ProcessId, AcceptEventCount, DisconnectEventCount, FirstSeenUTC, ProcessImagePath, EventVersion, CRPVMId, ServiceId, SubscriptionId, ComputerName
                    ]]></Query>
      </DerivedEvent>
      <DerivedEvent source="AsmNetDnsResolutionData" duration="PT5M" eventName="AsmNwDnsRes" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30">
        <Query><![CDATA[
            let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY")
            let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY")
            let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId")
            let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID")
            let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId")
            let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN")
            select ReportingIdentity, AssetIdentity, DomainName, ResolutionStatus, QueryType, QueryResults, ProcessId, ProcessImagePath, EventVersion, CRPVMId, ServiceId, SubscriptionId, ComputerName
                    ]]></Query>
      </DerivedEvent>
      <DerivedEvent source="AsmScannerData" duration="PT5M" eventName="AsmSysChg" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local">
        <Query><![CDATA[
             where (EventProvider = "EventDrivenScanner") && (EventType = "16" || EventType = "17")
             let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY")
             let AssetIdentity = GetStaticEnvironmentVariable("MA_AZURE_IDENTITY")
             let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId")
             let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID")
             let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId")
             let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN")
             let TimeCreated=UserField1
             let EventProv="Microsoft-Windows-Crypto-NCrypt"
             Select ReportingIdentity, AssetIdentity, CRPVMId, ServiceId, SubscriptionId, ComputerName, EventProv as EventProvider, EventType, EventPayload, TimeCreated
        ]]></Query>
      </DerivedEvent>
      <DerivedEvent source="WatchDogErrorEventLocal" duration="PT5M" eventName="AsmSpDiag" account="AzSecurityStore" priority="Normal" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local">
        <Query><![CDATA[
            let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY")
            let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY")
            let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId")
            let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID")
            let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId")
            let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN")
            select ReportingIdentity, AssetIdentity, EventProvider, EventType, TimeCreated, EventPayload, CRPVMId, ServiceId, SubscriptionId, ComputerName
            ]]></Query>
      </DerivedEvent>
    </DerivedEvents>
    <Extensions>
      <Extension extensionName="AzureSecurityPack">
        <CommandLine>SecurityScanMgr.exe -aspconfig:AzureSecurityPackConfiguration.xml -config:AsmScannerConfiguration.xml</CommandLine>
        <!-- <AlternativeExtensionLocation></AlternativeExtensionLocation> -->
        <!-- <Body></Body> -->
        <ResourceUsage cpuPercentUsage="5" cpuThrottling="Hard" memoryLimitInMB="128" />
      </Extension>
    </Extensions>
  </Events>
</MonitoringManagement>