Home
  •  

Alert for event Id: 22126 ('PNCH_WARNING_DOMAIN_MONITORING_START')

Microsoft.LS.2013.Monitoring.Rule.InfoEvent.PNCH.PNCH_WARNING_DOMAIN_MONITORING_START (Rule)

Knowledge Base article:

Summary

Potentially malicious behavior has been detected on a domain and is being monitored.

Causes

Domain has been sending incorrect or excessive notifications that are above defined threshold.

Resolutions

If the domain is exhibiting potentially malicious behavior, block it.

Element properties:

TargetMicrosoft.LS.2013.Component.PNCH
CategoryEventCollection
EnabledTrue
Event_ID22126
Event SourceLS Push Notification Service
Alert GenerateTrue
Alert SeverityWarning
Alert PriorityLow
RemotableTrue
Alert Message
[LYNC] Potentially malicious behavior has been detected on a domain and is being monitored.
{0}

Please see the 'Product Knowledge' and the 'Alert Context' tab on Alert Properties view for more information.
Event LogLync Server

Member Modules:

ID Module Type TypeId RunAs 
CollectEvent DataSource Microsoft.Windows.EventProvider Default
WriteAlert WriteAction System.Health.GenerateAlert Default
WriteToDB WriteAction Microsoft.SystemCenter.CollectEvent Default
WriteToDW WriteAction Microsoft.SystemCenter.DataWarehouse.PublishEventData Default

Source Code:

<Rule ID="Microsoft.LS.2013.Monitoring.Rule.InfoEvent.PNCH.PNCH_WARNING_DOMAIN_MONITORING_START" Enabled="true" Target="Microsoft.LS.2013.Component.PNCH" ConfirmDelivery="false" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>EventCollection</Category>

  <DataSources>

    <DataSource ID="CollectEvent" TypeID="Windows!Microsoft.Windows.EventProvider">

      <ComputerName>$Target/Host/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

      <LogName>Lync Server</LogName>

      <Expression>

        <And>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery Type="String">PublisherName</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value Type="String">LS Push Notification Service</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value Type="UnsignedInteger">22126</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

        </And>

      </Expression>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="WriteToDB" TypeID="SC!Microsoft.SystemCenter.CollectEvent"/>

    <WriteAction ID="WriteAlert" TypeID="Health!System.Health.GenerateAlert">

      <Priority>0</Priority>

      <Severity>1</Severity>

      <AlertMessageId>$MPElement[Name="Alert_Potentially_malicious_behavior_has_been_detected_on_a_domain_and_is_being_monitored."]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/EventDescription$</AlertParameter1>

      </AlertParameters>

      <Suppression>

        <SuppressionValue>$Data/EventDisplayNumber$</SuppressionValue>

        <SuppressionValue>$Data/PublisherName$</SuppressionValue>

        <SuppressionValue>$Data/LoggingComputer$</SuppressionValue>

      </Suppression>

    </WriteAction>

    <WriteAction ID="WriteToDW" TypeID="SCDW!Microsoft.SystemCenter.DataWarehouse.PublishEventData"/>

  </WriteActions>

</Rule>