Home
  •  

Règle d'activité suspecte d'échec de la préauthentification de l'ordinateur

Microsoft.AdvancedThreatAnalytics.1_8.Center.ComputerPreauthenticationFailedSuspiciousActivity (Rule)

Knowledge Base article:

Récapitulatif

Le centre ATA a détecté une activité suspecte.

Causes

Nous avons détecté une activité suspecte.

Résolutions

Examinez l'activité suspecte dans la console ATA et lancez les procédures de réponse.

Element properties:

TargetMicrosoft.AdvancedThreatAnalytics.1_8.Center
CategorySecurityHealth
EnabledFalse
Alert GenerateTrue
Alert SeverityError
Alert PriorityNormal
RemotableTrue
Alert Message
Activité suspecte d'échec de la pré-authentification de l'ordinateur
Description de l'événement : {0}
Event LogMicrosoft ATA

Member Modules:

ID Module Type TypeId RunAs 
Microsoft.Windows.EventCollector DataSource Microsoft.Windows.EventProvider Default
System.Health.GenerateAlert WriteAction System.Health.GenerateAlert Default

Source Code:

<Rule ID="Microsoft.AdvancedThreatAnalytics.1_8.Center.ComputerPreauthenticationFailedSuspiciousActivity" Target="Microsoft.AdvancedThreatAnalytics.1_8.Center" Enabled="false" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>SecurityHealth</Category>

  <DataSources>

    <DataSource ID="Microsoft.Windows.EventCollector" TypeID="Windows!Microsoft.Windows.EventProvider">

      <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

      <LogName>Microsoft ATA</LogName>

      <AllowProxying>false</AllowProxying>

      <Expression>

        <SimpleExpression>

          <ValueExpression>

            <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

          </ValueExpression>

          <Operator>Equal</Operator>

          <ValueExpression>

            <Value Type="UnsignedInteger">2005</Value>

          </ValueExpression>

        </SimpleExpression>

      </Expression>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="System.Health.GenerateAlert" TypeID="Health!System.Health.GenerateAlert">

      <Priority>1</Priority>

      <Severity>2</Severity>

      <AlertMessageId>$MPElement[Name="Microsoft.AdvancedThreatAnalytics.1_8.Center.ComputerPreauthenticationFailedSuspiciousActivity.AlertMessage"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/EventDescription$</AlertParameter1>

      </AlertParameters>

    </WriteAction>

  </WriteActions>

</Rule>