Home
  •  

Possible attack by Discovered Partners: user limit exceeded

Microsoft.LS.2015.Monitoring.UnitMonitor.PairedEvent.AccessEdge.SIPPROXY_EVENT_OEF_MAXCONTACTS_PEERS (UnitMonitor)

Knowledge Base article:

Summary

The following discovered partners exceeded the number of internal users they are allowed to contact.

Causes

Federated partners that were discovered through DNS SRV have attempted to contact more usernames within your enterprise than is allowed. Such a partner might be a legitimate peer with extensive connections to your organization, but it is more likely to be an attacker.

Resolutions

It is recommended that connections from these partners be blocked at the firewall. If a given partner is a legitimate peer then add the partner's domains to the allowed list.

Element properties:

TargetMicrosoft.LS.2015.Component.AccessEdge
Parent MonitorSystem.Health.SecurityState
CategorySecurityHealth
EnabledTrue
Alert GenerateTrue
Alert SeverityError
Alert PriorityNormal
Alert Auto ResolveTrue
Monitor TypeMicrosoft.LS.2015.MonitorType.PairedEvent.Simple
RemotableTrue
AccessibilityPublic
Alert Message
[Skype] The following discovered partners exceeded the number of internal users they are allowed to contact.
{0}

Please see the 'Product Knowledge' and the 'Alert Context' tab on Alert Properties view for more information.
RunAsDefault

Source Code:

<UnitMonitor ID="Microsoft.LS.2015.Monitoring.UnitMonitor.PairedEvent.AccessEdge.SIPPROXY_EVENT_OEF_MAXCONTACTS_PEERS" Accessibility="Public" Enabled="true" Target="Microsoft.LS.2015.Component.AccessEdge" ParentMonitorID="Health!System.Health.SecurityState" Remotable="true" Priority="Normal" TypeID="Microsoft.LS.2015.MonitorType.PairedEvent.Simple" ConfirmDelivery="true">

  <Category>SecurityHealth</Category>

  <AlertSettings AlertMessage="Alert_The_following_discovered_partners_exceeded_the_number_of_internal_users_they_are_allowed_to_contact.">

    <AlertOnState>Error</AlertOnState>

    <AutoResolve>true</AutoResolve>

    <AlertPriority>Normal</AlertPriority>

    <AlertSeverity>Error</AlertSeverity>

    <AlertParameters>

      <AlertParameter1>$Data/Context/EventDescription$</AlertParameter1>

    </AlertParameters>

  </AlertSettings>

  <OperationalStates>

    <OperationalState ID="Microsoft.LS.2015.Monitoring.UnitMonitor.PairedEvent.AccessEdge.SIPPROXY_EVENT_OEF_MAXCONTACTS_PEERS.Success" MonitorTypeStateID="SuccessEventRaised" HealthState="Success"/>

    <OperationalState ID="Microsoft.LS.2015.Monitoring.UnitMonitor.PairedEvent.AccessEdge.SIPPROXY_EVENT_OEF_MAXCONTACTS_PEERS.Error" MonitorTypeStateID="ErrorEventRaised" HealthState="Error"/>

  </OperationalStates>

  <Configuration>

    <ComputerName>$Target/Host/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

    <LogName>Lync Server</LogName>

    <SuccessExpression>

      <Or>

        <Expression>

          <And>

            <Expression>

              <SimpleExpression>

                <ValueExpression>

                  <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

                </ValueExpression>

                <Operator>Equal</Operator>

                <ValueExpression>

                  <Value Type="UnsignedInteger">14606</Value>

                </ValueExpression>

              </SimpleExpression>

            </Expression>

            <Expression>

              <SimpleExpression>

                <ValueExpression>

                  <XPathQuery Type="String">PublisherName</XPathQuery>

                </ValueExpression>

                <Operator>Equal</Operator>

                <ValueExpression>

                  <Value Type="String">LS Protocol Stack</Value>

                </ValueExpression>

              </SimpleExpression>

            </Expression>

          </And>

        </Expression>

        <Expression>

          <And>

            <Expression>

              <SimpleExpression>

                <ValueExpression>

                  <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

                </ValueExpression>

                <Operator>Equal</Operator>

                <ValueExpression>

                  <Value Type="UnsignedInteger">12288</Value>

                </ValueExpression>

              </SimpleExpression>

            </Expression>

            <Expression>

              <SimpleExpression>

                <ValueExpression>

                  <XPathQuery Type="String">PublisherName</XPathQuery>

                </ValueExpression>

                <Operator>Equal</Operator>

                <ValueExpression>

                  <Value Type="String">LS Server</Value>

                </ValueExpression>

              </SimpleExpression>

            </Expression>

          </And>

        </Expression>

      </Or>

    </SuccessExpression>

    <ErrorExpression>

      <And>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value Type="UnsignedInteger">14605</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery Type="String">PublisherName</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value Type="String">LS Protocol Stack</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

      </And>

    </ErrorExpression>

  </Configuration>

</UnitMonitor>