AzStackHci.EnvironmentChecker

1.2100.2321.143

AzStackHciStandaloneObservability/package/bin/GMA/Monitoring/Agent/initconfig/2.0/Standard/AzSecMdsAntimalwareOffline-Content.xml

                                <?xml version="1.0" encoding="utf-8"?>

<MonitoringManagement version="1.0" timestamp="2022-09-09T18:03:54.8774890Z">

  <!-- Autogenerated version comment - DO NOT REMOVE: AzSecPackShipVersion=4.22.0.2 -->

  <Events>

    <!-- 

              Diagnostic Tool File Monitor. 

              When the doagnostic tool is run it places all the MEPSupport cab files

              under %Program Data%\Microsoft\Microsoft Antimalware\Support\*.cab, this file Monitor will upload 

                                                  data to the corresponding storage account as soon as it detects

                                                  any activity under this dir.

              -->

    <FileMonitors storeType="CentralBond">

      <FileWatchItem eventName="AsmSysAvFMEvent" filter=".*\.cab" container="azsecsysavfm" contextParam="MalwareEngineLogs" directoryQuotaInMB="100" lastChangeOffsetInSeconds="60" uploadDelayInSeconds="60" removeEmptyDirectories="false" retentionInDays="30" account="AzSecurityStore">

        <Directory><![CDATA[Concat("", GetEnvironmentVariable("ProgramData"), "\Microsoft\Microsoft Antimalware\Support")]]></Directory>

      </FileWatchItem>

      <FileWatchItem eventName="AsmSysAvFMEvent" container="azsecsysavfm" compressionType="gzip" contextParam="QuarantineFiles" directoryQuotaInMB="100" lastChangeOffsetInSeconds="60" uploadDelayInSeconds="60" removeEmptyDirectories="false" retentionInDays="30" account="AzSecurityStore">

        <Directory><![CDATA[Concat("", GetEnvironmentVariable("ProgramData"), "\Microsoft\Microsoft Antimalware\Quarantine")]]></Directory>

      </FileWatchItem>

      <FileWatchItem eventName="AsmSysAvFMEvent" filter=".*\.cab" container="azsecsysavfm" contextParam="MalwareEngineLogs" directoryQuotaInMB="100" lastChangeOffsetInSeconds="60" uploadDelayInSeconds="60" removeEmptyDirectories="false" retentionInDays="30" account="AzSecurityStore">

        <Directory><![CDATA[Concat("", GetEnvironmentVariable("ProgramData"), "\Microsoft\Windows Defender\Support")]]></Directory>

      </FileWatchItem>

      <FileWatchItem eventName="AsmSysAvFMEvent" container="azsecsysavfm" compressionType="gzip" contextParam="QuarantineFiles" directoryQuotaInMB="100" lastChangeOffsetInSeconds="60" uploadDelayInSeconds="60" removeEmptyDirectories="false" retentionInDays="30" account="AzSecurityStore">

        <Directory><![CDATA[Concat("", GetEnvironmentVariable("ProgramData"), "\Microsoft\Windows Defender\Quarantine")]]></Directory>

      </FileWatchItem>

    </FileMonitors>

    <WindowsEventLogSubscriptions>

      <!-- Captures all Microsoft Antimalware Events -->

      <Subscription eventName="AsmSysMepLocal" query="System!*[System[Provider[@Name='Microsoft Antimalware'] and (EventID != 5007)]]" storeType="Local">

        <Column name="EventProvider" defaultAssignment="">

          <Value>/Event/System/Provider/@Name</Value>

        </Column>

        <Column name="EventType" defaultAssignment="0">

          <Value>/Event/System/EventID</Value>

        </Column>

        <Column name="TimeCreated" defaultAssignment="">

          <Value>/Event/System/TimeCreated/@SystemTime</Value>

        </Column>

        <Column name="EventPayload" defaultAssignment="">

          <Value>/Event/EventData/Data</Value>

        </Column>

        <Column name="EventDescription">

          <Value>GetEventMetadata("Description")</Value>

        </Column>

      </Subscription>

      <!-- Captures all Windows Defender Events -->

      <Subscription eventName="AsmSysMepLocal" query="Microsoft-Windows-Windows Defender/Operational!*[System[(EventID != 5007)]]" storeType="Local">

        <Column name="EventProvider" defaultAssignment="">

          <Value>/Event/System/Provider/@Name</Value>

        </Column>

        <Column name="EventType" defaultAssignment="0">

          <Value>/Event/System/EventID</Value>

        </Column>

        <Column name="TimeCreated" defaultAssignment="">

          <Value>/Event/System/TimeCreated/@SystemTime</Value>

        </Column>

        <Column name="EventPayload" defaultAssignment="">

          <Value>/Event/EventData/Data</Value>

        </Column>

        <Column name="EventDescription">

          <Value>GetEventMetadata("Description")</Value>

        </Column>

      </Subscription>

    </WindowsEventLogSubscriptions>

    <DerivedEvents>

      <DerivedEvent source="AsmSysMepLocal" eventName="AsmSysAV" storeType="CentralBond" duration="PT5M" account="AzSecurityStore" retentionInDays="90">

        <Query><![CDATA[

            let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY")          

            let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY")

            let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId")

            let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID")

            let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId")

            let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN")

            select ReportingIdentity, AssetIdentity, EventProvider, EventType, EventDescription, TimeCreated, EventPayload, CRPVMId, ServiceId, SubscriptionId, ComputerName

                    ]]></Query>

      </DerivedEvent>

    </DerivedEvents>

  </Events>

</MonitoringManagement>