The following discovered partners exceeded the number of internal users they are allowed to contact.
Federated partners that were discovered through DNS SRV have attempted to contact more usernames within your enterprise than is allowed. Such a partner might be a legitimate peer with extensive connections to your organization, but it is more likely to be an attacker.
It is recommended that connections from these partners be blocked at the firewall. If a given partner is a legitimate peer then add the partner's domains to the allowed list.
Target | Microsoft.LS.2015.Component.AccessEdge | ||
Parent Monitor | System.Health.SecurityState | ||
Category | SecurityHealth | ||
Enabled | True | ||
Alert Generate | True | ||
Alert Severity | Error | ||
Alert Priority | Normal | ||
Alert Auto Resolve | True | ||
Monitor Type | Microsoft.LS.2015.MonitorType.PairedEvent.Simple | ||
Remotable | True | ||
Accessibility | Public | ||
Alert Message |
| ||
RunAs | Default |
<UnitMonitor ID="Microsoft.LS.2015.Monitoring.UnitMonitor.PairedEvent.AccessEdge.SIPPROXY_EVENT_OEF_MAXCONTACTS_PEERS" Accessibility="Public" Enabled="true" Target="Microsoft.LS.2015.Component.AccessEdge" ParentMonitorID="Health!System.Health.SecurityState" Remotable="true" Priority="Normal" TypeID="Microsoft.LS.2015.MonitorType.PairedEvent.Simple" ConfirmDelivery="true">
<Category>SecurityHealth</Category>
<AlertSettings AlertMessage="Alert_The_following_discovered_partners_exceeded_the_number_of_internal_users_they_are_allowed_to_contact.">
<AlertOnState>Error</AlertOnState>
<AutoResolve>true</AutoResolve>
<AlertPriority>Normal</AlertPriority>
<AlertSeverity>Error</AlertSeverity>
<AlertParameters>
<AlertParameter1>$Data/Context/EventDescription$</AlertParameter1>
</AlertParameters>
</AlertSettings>
<OperationalStates>
<OperationalState ID="Microsoft.LS.2015.Monitoring.UnitMonitor.PairedEvent.AccessEdge.SIPPROXY_EVENT_OEF_MAXCONTACTS_PEERS.Success" MonitorTypeStateID="SuccessEventRaised" HealthState="Success"/>
<OperationalState ID="Microsoft.LS.2015.Monitoring.UnitMonitor.PairedEvent.AccessEdge.SIPPROXY_EVENT_OEF_MAXCONTACTS_PEERS.Error" MonitorTypeStateID="ErrorEventRaised" HealthState="Error"/>
</OperationalStates>
<Configuration>
<ComputerName>$Target/Host/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>Lync Server</LogName>
<SuccessExpression>
<Or>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">14606</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">LS Protocol Stack</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">12288</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">LS Server</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</Or>
</SuccessExpression>
<ErrorExpression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">14605</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">LS Protocol Stack</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</ErrorExpression>
</Configuration>
</UnitMonitor>