Regla de supervisión de puerta de enlace de Microsoft ATA 1.7: se habilitaron PID para los nombres de proceso de la puerta de enlace de ATA.
Se habilitaron los PID para los nombres de proceso de la puerta de enlace de ATA.
Use KB281884 para deshabilitar los PID en los nombres de proceso.
Target | Microsoft.AdvancedThreatAnalytics.1_7.Gateway | ||
Category | AvailabilityHealth | ||
Enabled | True | ||
Alert Generate | True | ||
Alert Severity | Error | ||
Alert Priority | Normal | ||
Remotable | True | ||
Alert Message |
|
ID | Module Type | TypeId | RunAs |
---|---|---|---|
ATALogFile | DataSource | Microsoft.AdvancedThreatAnalytics.LogFileProvider | Default |
Alert | WriteAction | System.Health.GenerateAlert | Default |
<Rule ID="Microsoft.AdvancedThreatAnalytics.1_7.Gateway.PIDsWasEnabledForProcessNamesInGateway" Enabled="true" Target="Microsoft.AdvancedThreatAnalytics.1_7.Gateway" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>AvailabilityHealth</Category>
<DataSources>
<DataSource ID="ATALogFile" TypeID="Microsoft.AdvancedThreatAnalytics.LogFileProvider">
<LogFileDirectory>$Target/Property[Type="Microsoft.AdvancedThreatAnalytics.1_7.Gateway"]/InstallationPath$\Logs</LogFileDirectory>
<LogFilePattern>Microsoft.Tri.Gateway-Errors.log</LogFilePattern>
<PublisherName>System.InvalidOperationException</PublisherName>
<ErrorStringContains>Instance 'Microsoft.Tri.Gateway' does not exist in the specified Category</ErrorStringContains>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>2</Severity>
<AlertMessageId>$MPElement[Name="Microsoft.AdvancedThreatAnalytics.1_7.Gateway.PIDsWasEnabledForProcessNamesInGateway.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventData/DataItem/LogFileName$</AlertParameter1>
<AlertParameter2>$Data/EventData/DataItem/LogFileDirectory$</AlertParameter2>
<AlertParameter3>$Data/PublisherName$</AlertParameter3>
<AlertParameter4>$Data/EventDescription$</AlertParameter4>
</AlertParameters>
<Suppression>
<SuppressionValue>$Data/LoggingComputer$</SuppressionValue>
<SuppressionValue>$Data/EventDescription$</SuppressionValue>
</Suppression>
</WriteAction>
</WriteActions>
</Rule>