The Access Edge Server has detected a large number of TLS negotiation attempts from federated partners with a TLS certificate that is chained to an untrusted root.
The server is likely under attack.
It is recommended that connections from these partners be blocked at the firewall.
Target | Microsoft.LS.2019.Component.AccessEdge | ||
Parent Monitor | System.Health.SecurityState | ||
Category | SecurityHealth | ||
Enabled | True | ||
Alert Generate | True | ||
Alert Severity | Error | ||
Alert Priority | High | ||
Alert Auto Resolve | True | ||
Monitor Type | Microsoft.LS.2019.MonitorType.TimerResetEvent.Simple | ||
Remotable | True | ||
Accessibility | Public | ||
Alert Message |
| ||
RunAs | Default |
<UnitMonitor ID="Microsoft.LS.2019.Monitoring.UnitMonitor.TimerResetEvent.AccessEdge.SIPPROXY_E_UNTRUSTED_CERTIFICATE_ATTACK" Accessibility="Public" Enabled="true" Target="SFBDiscovery!Microsoft.LS.2019.Component.AccessEdge" ParentMonitorID="Health!System.Health.SecurityState" Remotable="true" Priority="Normal" TypeID="Microsoft.LS.2019.MonitorType.TimerResetEvent.Simple" ConfirmDelivery="true">
<Category>SecurityHealth</Category>
<AlertSettings AlertMessage="Alert_The_Access_Edge_Server_has_detected_a_large_number_of_TLS_negotiation_attempts_from_federated_partners_with_a_TLS_certificate_that_is_chained_to_an_untrusted_root.">
<AlertOnState>Error</AlertOnState>
<AutoResolve>true</AutoResolve>
<AlertPriority>High</AlertPriority>
<AlertSeverity>Error</AlertSeverity>
<AlertParameters>
<AlertParameter1>$Data/Context/EventDescription$</AlertParameter1>
</AlertParameters>
</AlertSettings>
<OperationalStates>
<OperationalState ID="Microsoft.LS.2019.Monitoring.UnitMonitor.TimerResetEvent.AccessEdge.SIPPROXY_E_UNTRUSTED_CERTIFICATE_ATTACK.Timer" MonitorTypeStateID="TimerEventRaised" HealthState="Success"/>
<OperationalState ID="Microsoft.LS.2019.Monitoring.UnitMonitor.TimerResetEvent.AccessEdge.SIPPROXY_E_UNTRUSTED_CERTIFICATE_ATTACK.Error" MonitorTypeStateID="ErrorEventRaised" HealthState="Error"/>
</OperationalStates>
<Configuration>
<ComputerName>$Target/Host/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>Lync Server</LogName>
<ErrorExpression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">14626</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">LS Protocol Stack</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</ErrorExpression>
<AutoResolveInterval>3600</AutoResolveInterval>
</Configuration>
</UnitMonitor>