Home
  •  

Microsoft.SystemCenter.CollectThreatDetectionEventDataToCloud (Rule)

Element properties:

TargetMicrosoft.SystemCenter.HealthService
CategoryEventCollection
EnabledFalse
Alert GenerateFalse
RemotableTrue
Commentthis rule collects high volume event data from a healthservice and pushes it directly to the cloud

Member Modules:

ID Module Type TypeId RunAs 
DS DataSource Microsoft.SystemCenter.PublishedThreatDetectionCloudEventProvider Default
HttpWA WriteAction System.PublishDataToEndPoint Default

Source Code:

<Rule ID="Microsoft.SystemCenter.CollectThreatDetectionEventDataToCloud" Comment="this rule collects high volume event data from a healthservice and pushes it directly to the cloud" Enabled="false" Target="SCLibrary!Microsoft.SystemCenter.HealthService" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>EventCollection</Category>

  <DataSources>

    <DataSource ID="DS" TypeID="Microsoft.SystemCenter.PublishedThreatDetectionCloudEventProvider">

      <DropItems>false</DropItems>

      <MaximumBatchSize>300</MaximumBatchSize>

      <QueueDataOnStall>false</QueueDataOnStall>

      <QueueDataStallInterval>PT2M</QueueDataStallInterval>

      <StalledDataQueueSizeMB>500</StalledDataQueueSizeMB>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="HttpWA" TypeID="System.PublishDataToEndPoint">

      <AuthenticationCertificatePfx>$RunAs[Name="Advisor!Microsoft.SystemCenter.Advisor.RunAsProfile.Certificate"]/Data$</AuthenticationCertificatePfx>

      <AuthenticationMode>Certificate</AuthenticationMode>

      <Attributes>

        <Attribute>

          <Name>IPName</Name>

          <Value>Security</Value>

        </Attribute>

        <Attribute>

          <Name>ManagementGroupName</Name>

          <Value>$Target/ManagementGroup/Name$</Value>

        </Attribute>

        <Attribute>

          <Name>ManagementGroupId</Name>

          <Value>$Target/ManagementGroup/Id$</Value>

        </Attribute>

        <Attribute>

          <Name>HealthServiceSourceId</Name>

          <Value>$Target/Id$</Value>

        </Attribute>

        <Attribute>

          <Name>DataType</Name>

          <Value>ROME_DETECTION_EVENT_BLOB</Value>

        </Attribute>

      </Attributes>

      <CompressionType>Deflate</CompressionType>

      <DeletionPriority>110</DeletionPriority>

      <EndpointUrl>https://$Target/Property[Type="SCLibrary!Microsoft.SystemCenter.HealthService"]/ThirdPartyAuthenticationUri$.ods.opinsights.azure.com/EventDataService.svc/PostDataItems</EndpointUrl>

      <HttpMethod>POST</HttpMethod>

      <Priority>Normal</Priority>

      <SkipQueue>false</SkipQueue>

      <TimeToLive>PT2H</TimeToLive>

      <NationalCloudType>0</NationalCloudType>

    </WriteAction>

  </WriteActions>

</Rule>