Generate Alert for Transaction Security APM Event

Microsoft.SystemCenter.Apm.WebPageTransaction.AlertSecurityAspectRule (Rule)

Knowledge Base article:

Summary

The instance state becomes unhealthy if the total number of security events per defined time period exceeds the monitor threshold.

Causes

Security alerts are generated as a result of authorization, authentication, or permission problems when the application tries to access external resources. The alert details field displays a description that contains the name of the failed function of the resource accessed and operation context for troubleshooting the issue. Security exceptions are due to problems that are typically solved by environment or configuration changes without accessing the source code. This kind of problem could be due to authentication, authorization, or permission problems accessing the database server, web service, IO resource, or Active Directory.

Resolutions

Security alerts arise from unhandled exceptions due to problems accessing external resources. To resolve these problems check

1) the description of the alert and events;

2) operation targets, for example Microsoft SQL server;

3) action - a method that was targeted to execute over a resource, for example connection to the server;

4) security context - connection, user and identity details. After this review, update the account, password or permissions either in the application configuration or on the server/domain side.

Element properties:

Target

Microsoft.SystemCenter.Apm.WebPageTransaction

Category

Alert

Enabled

False

Alert Generate

True

Alert Severity

Error

Alert Priority

Normal

Remotable

False

Alert Message

Transaction Security Exception

Transaction {5} for application {0} on {1} has had a security failure occur. An exception of type '{2}' with a message of '{3}' was thrown in '{4}'. For additional details please use the following link: $Url[Query='{6}']/APMEvent$

Member Modules:

ID	Module Type	TypeId	RunAs
LOBProvider	DataSource	Microsoft.SystemCenter.Apm.WebPageTransaction.LobDataProvider	Default
AlertWriteAction	WriteAction	System.Health.GenerateAlert	Default

Source Code:

<Rule ID="Microsoft.SystemCenter.Apm.WebPageTransaction.AlertSecurityAspectRule" Enabled="false" ConfirmDelivery="false" Target="Microsoft.SystemCenter.Apm.WebPageTransaction" Remotable="false">

  <Category>Alert</Category>

  <DataSources>

    <DataSource ID="LOBProvider" TypeID="Microsoft.SystemCenter.Apm.WebPageTransaction.LobDataProvider">

      <Name>$Target/Host/Property[Type="AL!Microsoft.SystemCenter.Apm.ApplicationInstanceBase"]/ApplicationName$</Name>

      <AspectType>security</AspectType>

      <RootName>$Target/Property[Type="Microsoft.SystemCenter.Apm.WebPageTransaction"]/PageName$</RootName>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="AlertWriteAction" TypeID="Health!System.Health.GenerateAlert">

      <Priority>1</Priority>

      <Severity>2</Severity>

      <AlertMessageId>$MPElement[Name='Microsoft.SystemCenter.Apm.WebPageTransaction.AlertSecurityAspectRule.AlertMessage']$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Target/Host/Property[Type="AL!Microsoft.SystemCenter.Apm.ApplicationInstanceBase"]/ApplicationName$</AlertParameter1>

        <AlertParameter2>$Target/Host/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</AlertParameter2>

        <AlertParameter3>$Data/EventData/exceptionclass$</AlertParameter3>

        <AlertParameter4>$Data/EventData/message$</AlertParameter4>

        <AlertParameter5>$Data/EventData/name$</AlertParameter5>

        <AlertParameter6>$Target/Property[Type="AL!Microsoft.SystemCenter.Apm.TransactionBase"]/TransactionName$</AlertParameter6>

        <AlertParameter7>$Data/EventData/ViewDetail$</AlertParameter7>

      </AlertParameters>

      <Suppression>

        <SuppressionValue>$Data/EventData/eventConsolidationHash$</SuppressionValue>

      </Suppression>

      <Custom1>Security</Custom1>

    </WriteAction>

  </WriteActions>

</Rule>