SIP Proxy: Possible attack by partners with an untrusted root certificate.

Microsoft.LS.2019.Monitoring.UnitMonitor.TimerResetEvent.AccessEdge.SIPPROXY_E_UNTRUSTED_CERTIFICATE_ATTACK (UnitMonitor)

Knowledge Base article:

Summary

The Access Edge Server has detected a large number of TLS negotiation attempts from federated partners with a TLS certificate that is chained to an untrusted root.

Causes

The server is likely under attack.

Resolutions

It is recommended that connections from these partners be blocked at the firewall.

Element properties:

Target

Microsoft.LS.2019.Component.AccessEdge

Parent Monitor

System.Health.SecurityState

Category

SecurityHealth

Enabled

True

Alert Generate

True

Alert Severity

Error

Alert Priority

High

Alert Auto Resolve

True

Monitor Type

Microsoft.LS.2019.MonitorType.TimerResetEvent.Simple

Remotable

True

Accessibility

Public

Alert Message

[Skype] The Access Edge Server has detected a large number of TLS negotiation attempts from federated partners with a TLS certificate that is chained to an untrusted root.

{0}

Please see the 'Product Knowledge' and the 'Alert Context' tab on Alert Properties view for more information.

RunAs

Default

Source Code:

<UnitMonitor ID="Microsoft.LS.2019.Monitoring.UnitMonitor.TimerResetEvent.AccessEdge.SIPPROXY_E_UNTRUSTED_CERTIFICATE_ATTACK" Accessibility="Public" Enabled="true" Target="SFBDiscovery!Microsoft.LS.2019.Component.AccessEdge" ParentMonitorID="Health!System.Health.SecurityState" Remotable="true" Priority="Normal" TypeID="Microsoft.LS.2019.MonitorType.TimerResetEvent.Simple" ConfirmDelivery="true">

  <Category>SecurityHealth</Category>

  <AlertSettings AlertMessage="Alert_The_Access_Edge_Server_has_detected_a_large_number_of_TLS_negotiation_attempts_from_federated_partners_with_a_TLS_certificate_that_is_chained_to_an_untrusted_root.">

    <AlertOnState>Error</AlertOnState>

    <AutoResolve>true</AutoResolve>

    <AlertPriority>High</AlertPriority>

    <AlertSeverity>Error</AlertSeverity>

    <AlertParameters>

      <AlertParameter1>$Data/Context/EventDescription$</AlertParameter1>

    </AlertParameters>

  </AlertSettings>

  <OperationalStates>

    <OperationalState ID="Microsoft.LS.2019.Monitoring.UnitMonitor.TimerResetEvent.AccessEdge.SIPPROXY_E_UNTRUSTED_CERTIFICATE_ATTACK.Timer" MonitorTypeStateID="TimerEventRaised" HealthState="Success"/>

    <OperationalState ID="Microsoft.LS.2019.Monitoring.UnitMonitor.TimerResetEvent.AccessEdge.SIPPROXY_E_UNTRUSTED_CERTIFICATE_ATTACK.Error" MonitorTypeStateID="ErrorEventRaised" HealthState="Error"/>

  </OperationalStates>

  <Configuration>

    <ComputerName>$Target/Host/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

    <LogName>Lync Server</LogName>

    <ErrorExpression>

      <And>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value Type="UnsignedInteger">14626</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery Type="String">PublisherName</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value Type="String">LS Protocol Stack</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

      </And>

    </ErrorExpression>

    <AutoResolveInterval>3600</AutoResolveInterval>

  </Configuration>

</UnitMonitor>