AzStackHciStandaloneObservability/package/bin/GMA/Monitoring/Agent/initconfig/2.0/Standard/AzSecMdsWDATPOffline-Content.xml

<?xml version="1.0" encoding="utf-8"?>
<MonitoringManagement version="1.0" timestamp="2022-09-09T18:03:54.8774890Z">
  <!-- Autogenerated version comment - DO NOT REMOVE: AzSecPackShipVersion=4.22.0.2 -->
  <Events>
    <EtwProviders>
      <!-- MsSense scanner provider -->
      <EtwProvider guid="cb2ff72d-d4e4-585d-33f9-f3a395c40be7" format="EventSource" storeType="Local">
        <DefaultEvent eventName="AsmMsSenseLocal" />
      </EtwProvider>
      <!-- MsSense Diagnostics Provider -->
      <EtwProvider guid="65a1b6fc-4c24-59c9-e3f3-ad11ac510b41" format="EventSource" storeType="Local">
        <DefaultEvent eventName="AsmMsSDiagLocal" />
      </EtwProvider>
    </EtwProviders>
    <DerivedEvents>
      <DerivedEvent source="AsmMsSDiagLocal" eventName="AsmMsSDiag" storeType="CentralBond" priority="Low" duration="PT5M" retryTimeout="PT10080M" account="AzSecurityStore" retentionInDays="30">
        <Query><![CDATA[
                        where (TaskName="LruCacheCounter" || TaskName="EventTracker" || TaskName="BackgroundActionStats" || TaskName="FirstSeenModuleLoadCount" || TaskName="BucketCappingFilterCounter" || TaskName="reportCounter" || TaskName="EtwSessionCounter" || TaskName="LogServiceStartedEvent" || TaskName="InitializeComponentsActivity" || TaskName="StartComponentsActivity" || TaskName="MachineInfoActivity" || TaskName="ConfigurationApplyActivity" || TaskName="StartServiceActivity" || TaskName="ServiceStartAfterCrashEvent" || TaskName="LogServiceStartedEvent" || TaskName="MachineInfoFailedToRetrieve" || TaskName="DnsCacheStats" || TaskName="FirstSeenCount")
                        let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY")
                        let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY")
                        let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId")
                        let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID")
                        let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId")
                        let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN")
                        select ReportingIdentity, AssetIdentity, ProviderName, ProviderGuid, EventId, TaskName, Message, EventMessage, Level, CRPVMId, ServiceId, SubscriptionId, ComputerName
                    ]]></Query>
      </DerivedEvent>
      <DerivedEvent source="AsmMsSenseLocal" eventName="AsmMsSense" storeType="CentralBond" priority="Low" duration="PT1M" retryTimeout="PT10080M" account="AzSecurityStore" retentionInDays="30">
        <Query><![CDATA[
                        let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY")
                        let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY")
                        let CRPVMId=GetStaticEnvironmentVariable("MA_RoleEnvironment_VmId")
                        let ServiceId=GetStaticEnvironmentVariable("SERVICE_TREE_ID")
                        let SubscriptionId=GetStaticEnvironmentVariable("MA_RoleEnvironment_SubscriptionId")
                        let ComputerName=GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN") == "" ? GetStaticEnvironmentVariable("COMPUTERNAME") : GetStaticEnvironmentVariable("MA_COMPUTERNAME_FQDN")
                     ]]></Query>
      </DerivedEvent>
    </DerivedEvents>
  </Events>
</MonitoringManagement>