Microsoft ATA 1.8 게이트웨이 모니터링 규칙 - ATA 게이트웨이가 센터 인증서 체인의 유효성을 검사하지 못함
ATA 게이트웨이가 ATA 센터의 인증서 유효성을 검사하지 못했습니다.
1. ATA 게이트웨이의 신뢰할 수 있는 인증 기관 인증서 저장소에 루트 CA 인증서가 설치되어 있는지 확인합니다.
Target | Microsoft.AdvancedThreatAnalytics.1_8.Gateway | ||
Category | AvailabilityHealth | ||
Enabled | True | ||
Alert Generate | True | ||
Alert Severity | Error | ||
Alert Priority | Normal | ||
Remotable | True | ||
Alert Message |
|
ID | Module Type | TypeId | RunAs |
---|---|---|---|
ATALogFile | DataSource | Microsoft.AdvancedThreatAnalytics.LogFileProvider | Default |
Alert | WriteAction | System.Health.GenerateAlert | Default |
<Rule ID="Microsoft.AdvancedThreatAnalytics.1_8.Gateway.FailedToValidateCenterCertificateChain" Enabled="true" Target="Microsoft.AdvancedThreatAnalytics.1_8.Gateway" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>AvailabilityHealth</Category>
<DataSources>
<DataSource ID="ATALogFile" TypeID="Microsoft.AdvancedThreatAnalytics.LogFileProvider">
<LogFileDirectory>$Target/Property[Type="Microsoft.AdvancedThreatAnalytics.1_8.Gateway"]/InstallationPath$\Logs</LogFileDirectory>
<LogFilePattern>Microsoft.Tri.Gateway-Errors.log</LogFilePattern>
<PublisherName>System.IdentityModel.Tokens.SecurityTokenValidationException</PublisherName>
<ErrorStringContains>Failed to validate certificate chain</ErrorStringContains>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>2</Severity>
<AlertMessageId>$MPElement[Name="Microsoft.AdvancedThreatAnalytics.1_8.Gateway.FailedToValidateCenterCertificateChain.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventData/DataItem/LogFileName$</AlertParameter1>
<AlertParameter2>$Data/EventData/DataItem/LogFileDirectory$</AlertParameter2>
<AlertParameter3>$Data/PublisherName$</AlertParameter3>
<AlertParameter4>$Data/EventDescription$</AlertParameter4>
</AlertParameters>
<Suppression>
<SuppressionValue>$Data/LoggingComputer$</SuppressionValue>
<SuppressionValue>$Data/EventDescription$</SuppressionValue>
</Suppression>
</WriteAction>
</WriteActions>
</Rule>