Microsoft ATA 1.8 Gateway'i izlemeye yönelik kural - ATA Gateway, LDAP protokolünü kullanarak etki alanı denetleyicisini sorgulayamadı
ATA Gateway, LDAP protokolünü kullanarak etki alanı denetleyicisini sorgulayamadı.
1. ATA tarafından Active Directory etki alanına erişmek için kullanılan kullanıcı hesabının Active Directory ağacındaki tüm nesnelere okuma erişimi olduğunu doğrulayın.
Target | Microsoft.AdvancedThreatAnalytics.1_8.Gateway | ||
Category | AvailabilityHealth | ||
Enabled | True | ||
Alert Generate | True | ||
Alert Severity | Error | ||
Alert Priority | Normal | ||
Remotable | True | ||
Alert Message |
|
ID | Module Type | TypeId | RunAs |
---|---|---|---|
ATALogFile | DataSource | Microsoft.AdvancedThreatAnalytics.LogFileProvider | Default |
Alert | WriteAction | System.Health.GenerateAlert | Default |
<Rule ID="Microsoft.AdvancedThreatAnalytics.1_8.Gateway.FailedToQueryDCUsingLDAPProtocol" Enabled="true" Target="Microsoft.AdvancedThreatAnalytics.1_8.Gateway" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>AvailabilityHealth</Category>
<DataSources>
<DataSource ID="ATALogFile" TypeID="Microsoft.AdvancedThreatAnalytics.LogFileProvider">
<LogFileDirectory>$Target/Property[Type="Microsoft.AdvancedThreatAnalytics.1_8.Gateway"]/InstallationPath$\Logs</LogFileDirectory>
<LogFilePattern>Microsoft.Tri.Gateway-Errors.log</LogFilePattern>
<PublisherName>System.DirectoryServices.Protocols.LdapException</PublisherName>
<ErrorStringContains>The LDAP server is unavailable</ErrorStringContains>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>2</Severity>
<AlertMessageId>$MPElement[Name="Microsoft.AdvancedThreatAnalytics.1_8.Gateway.FailedToQueryDCUsingLDAPProtocol.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventData/DataItem/LogFileName$</AlertParameter1>
<AlertParameter2>$Data/EventData/DataItem/LogFileDirectory$</AlertParameter2>
<AlertParameter3>$Data/PublisherName$</AlertParameter3>
<AlertParameter4>$Data/EventDescription$</AlertParameter4>
</AlertParameters>
<Suppression>
<SuppressionValue>$Data/LoggingComputer$</SuppressionValue>
<SuppressionValue>$Data/EventDescription$</SuppressionValue>
</Suppression>
</WriteAction>
</WriteActions>
</Rule>