Obs/bin/GMA/Monitoring/Agent/initconfig/2.0/Standard/ReservedEventsTeam2Offline-Content.xml
|
<?xml version="1.0" encoding="utf-8"?>
<MonitoringManagement version="1.0" timestamp="2023-06-08T00:58:42.4731192Z"> <!-- Autogenerated version comment - DO NOT REMOVE: AzSecPackShipVersion=4.27.0.4 --> <Events> <EtwProviders> <EtwProvider guid="CA12FEAF-00D4-4D69-9C31-A13C94E09A3A" format="Manifest" storeType="Local" manifest="Extensions\AzureSecurityPack\Microsoft.WindowsAzure.Security.Authentication.Events.man" duration="PT5M"> <Event id="1" eventName="Critical" /> <Event id="8" eventName="FedDataSucc" /> <Event id="9" eventName="FedDataFail" /> </EtwProvider> </EtwProviders> <DerivedEvents> <!-- Documentation for event fields can be found here: https://jarvis-west.dc.ad.msft.net/?page=documents§ion=9c95f4eb-8689-4c9f-81bf-82d688e860fd&id=ac0084ad-5065-4b16-8f7d-0a5193143378#/ --> <!--Get Federation Metadata Succeeded--> <DerivedEvent source="FedDataSucc" eventName="AsmSec2Data" storeType="CentralBond" priority="High" duration="PT1M" retryTimeout="PT10080M" account="AzSecurityStore" retentionInDays="180"> <Query><![CDATA[ where(EventId=8) let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let NodeIdentity="" let NodeType="" let EventProvider="Microsoft.WindowsAzure.Security.Authentication" Let EventType="" Let EventPayload="" select TIMESTAMP, ReportingIdentity, AssetIdentity, NodeIdentity, NodeType, EventProvider, EventType, EventPayload, FederationMetadataAddress, TrustedCertificates, SigningCertificates ]]></Query> </DerivedEvent> <!--Get Federation Metadata Failure--> <DerivedEvent source="FedDataFail" eventName="AsmSec2Diag" storeType="CentralBond" priority="High" duration="PT1M" retryTimeout="PT10080M" account="AzSecurityStore" retentionInDays="180"> <Query><![CDATA[ where(EventId=9) let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let NodeIdentity="" let NodeType="" let EventProvider="Microsoft.WindowsAzure.Security.Authentication" Let EventType="" Let EventPayload="" select TIMESTAMP, ReportingIdentity, AssetIdentity, NodeIdentity, NodeType, EventProvider, EventType, EventPayload, FederationMetadataAddress, TrustedCertificates, SigningCertificates ]]></Query> </DerivedEvent> <!--Get Federation Critical Message--> <DerivedEvent source="Critical" eventName="AsmSec2Alert" storeType="CentralBond" priority="High" duration="PT1M" retryTimeout="PT10080M" account="AzSecurityStore" retentionInDays="180"> <Query><![CDATA[ where(EventId=1) let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let NodeIdentity="" let NodeType="" let EventProvider="Microsoft.WindowsAzure.Security.Authentication" Let EventType="" Let EventPayload=Message select TIMESTAMP, ReportingIdentity, AssetIdentity, NodeIdentity, NodeType, EventProvider, EventType, EventPayload ]]></Query> </DerivedEvent> </DerivedEvents> </Events> </MonitoringManagement> |