Ein Hosteintrag in der HOSTS-Datei verweist auf den Kurznamen des Computers.

Microsoft.AdvancedThreatAnalytics.1_8.Gateway.HostEntryInHOSTSFile (Rule)

Regel zur Überwachung des Microsoft ATA 1.8-Gateways – Ein Hosteintrag in der HOSTS-Datei verweist auf den Kurznamen des Computers.

Knowledge Base article:

Element properties:

Member Modules:

Source Code:

<Rule ID="Microsoft.AdvancedThreatAnalytics.1_8.Gateway.HostEntryInHOSTSFile" Enabled="true" Target="Microsoft.AdvancedThreatAnalytics.1_8.Gateway" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>AvailabilityHealth</Category>

  <DataSources>

    <DataSource ID="ATALogFile" TypeID="Microsoft.AdvancedThreatAnalytics.LogFileProvider">

      <LogFileDirectory>$Target/Property[Type="Microsoft.AdvancedThreatAnalytics.1_8.Gateway"]/InstallationPath$\Logs</LogFileDirectory>

      <LogFilePattern>Microsoft.Tri.Gateway-Errors.log</LogFilePattern>

      <PublisherName>System.ApplicationException</PublisherName>

      <ErrorStringContains>Unable to start ETW session MMA-ETW-Livecapture</ErrorStringContains>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">

      <Priority>1</Priority>

      <Severity>2</Severity>

      <AlertMessageId>$MPElement[Name="Microsoft.AdvancedThreatAnalytics.1_8.Gateway.HostEntryInHOSTSFile.AlertMessage"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/EventData/DataItem/LogFileName$</AlertParameter1>

        <AlertParameter2>$Data/EventData/DataItem/LogFileDirectory$</AlertParameter2>

        <AlertParameter3>$Data/PublisherName$</AlertParameter3>

        <AlertParameter4>$Data/EventDescription$</AlertParameter4>

      </AlertParameters>

      <Suppression>

        <SuppressionValue>$Data/LoggingComputer$</SuppressionValue>

        <SuppressionValue>$Data/EventDescription$</SuppressionValue>

      </Suppression>

    </WriteAction>

  </WriteActions>

</Rule>