Obs/bin/GMA/Monitoring/Agent/initconfig/2.0/Standard/ReservedEventsTeam2Offline-Content.xml

<?xml version="1.0" encoding="utf-8"?>
<MonitoringManagement version="1.0" timestamp="2023-06-08T00:58:42.4731192Z">
  <!-- Autogenerated version comment - DO NOT REMOVE: AzSecPackShipVersion=4.27.0.4 -->
  <Events>
    <EtwProviders>
      <EtwProvider guid="CA12FEAF-00D4-4D69-9C31-A13C94E09A3A" format="Manifest" storeType="Local" manifest="Extensions\AzureSecurityPack\Microsoft.WindowsAzure.Security.Authentication.Events.man" duration="PT5M">
        <Event id="1" eventName="Critical" />
        <Event id="8" eventName="FedDataSucc" />
        <Event id="9" eventName="FedDataFail" />
      </EtwProvider>
    </EtwProviders>
    <DerivedEvents>
      <!-- Documentation for event fields can be found here:
            https://jarvis-west.dc.ad.msft.net/?page=documents&section=9c95f4eb-8689-4c9f-81bf-82d688e860fd&id=ac0084ad-5065-4b16-8f7d-0a5193143378#/
        -->
      <!--Get Federation Metadata Succeeded-->
      <DerivedEvent source="FedDataSucc" eventName="AsmSec2Data" storeType="CentralBond" priority="High" duration="PT1M" retryTimeout="PT10080M" account="AzSecurityStore" retentionInDays="180">
        <Query><![CDATA[
            where(EventId=8)
            let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY")
            let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY")
            let NodeIdentity=""
            let NodeType=""
            let EventProvider="Microsoft.WindowsAzure.Security.Authentication"
            Let EventType=""
            Let EventPayload=""
 
            select
              TIMESTAMP, ReportingIdentity, AssetIdentity, NodeIdentity, NodeType, EventProvider, EventType, EventPayload, FederationMetadataAddress, TrustedCertificates, SigningCertificates
          ]]></Query>
      </DerivedEvent>
      <!--Get Federation Metadata Failure-->
      <DerivedEvent source="FedDataFail" eventName="AsmSec2Diag" storeType="CentralBond" priority="High" duration="PT1M" retryTimeout="PT10080M" account="AzSecurityStore" retentionInDays="180">
        <Query><![CDATA[
            where(EventId=9)
            let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY")
            let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY")
            let NodeIdentity=""
            let NodeType=""
            let EventProvider="Microsoft.WindowsAzure.Security.Authentication"
            Let EventType=""
            Let EventPayload=""
 
            select
              TIMESTAMP, ReportingIdentity, AssetIdentity, NodeIdentity, NodeType, EventProvider, EventType, EventPayload, FederationMetadataAddress, TrustedCertificates, SigningCertificates
          ]]></Query>
      </DerivedEvent>
      <!--Get Federation Critical Message-->
      <DerivedEvent source="Critical" eventName="AsmSec2Alert" storeType="CentralBond" priority="High" duration="PT1M" retryTimeout="PT10080M" account="AzSecurityStore" retentionInDays="180">
        <Query><![CDATA[
            where(EventId=1)
            let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY")
            let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY")
            let NodeIdentity=""
            let NodeType=""
            let EventProvider="Microsoft.WindowsAzure.Security.Authentication"
            Let EventType=""
            Let EventPayload=Message
 
            select
              TIMESTAMP, ReportingIdentity, AssetIdentity, NodeIdentity, NodeType, EventProvider, EventType, EventPayload
          ]]></Query>
      </DerivedEvent>
    </DerivedEvents>
  </Events>
</MonitoringManagement>