O ATA Center observou uma atividade suspeita.
Foi detetada uma atividade suspeita.
Reveja a atividade suspeita no ATA Console e inicie os procedimentos de resposta.
| Target | Microsoft.AdvancedThreatAnalytics.1_8.Center | ||
| Category | SecurityHealth | ||
| Enabled | False | ||
| Alert Generate | True | ||
| Alert Severity | Error | ||
| Alert Priority | Normal | ||
| Remotable | True | ||
| Alert Message |
| ||
| Event Log | Microsoft ATA |
| ID | Module Type | TypeId | RunAs |
|---|---|---|---|
| Microsoft.Windows.EventCollector | DataSource | Microsoft.Windows.EventProvider | Default |
| System.Health.GenerateAlert | WriteAction | System.Health.GenerateAlert | Default |
Home
PTG <Rule ID="Microsoft.AdvancedThreatAnalytics.1_8.Center.SamrReconnaissanceSuspiciousActivity" Target="Microsoft.AdvancedThreatAnalytics.1_8.Center" Enabled="false" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>SecurityHealth</Category>
<DataSources>
<DataSource ID="Microsoft.Windows.EventCollector" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>Microsoft ATA</LogName>
<AllowProxying>false</AllowProxying>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">2021</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="System.Health.GenerateAlert" TypeID="Health!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>2</Severity>
<AlertMessageId>$MPElement[Name="Microsoft.AdvancedThreatAnalytics.1_8.Center.SamrReconnaissanceSuspiciousActivity.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventDescription$</AlertParameter1>
</AlertParameters>
</WriteAction>
</WriteActions>
</Rule>