REST response performance collection rule
This collects the details about how many REST requests were made to the Network controller. A sudden spike may be an indicator of malicious activity.
One of the possible causes may be unauthorized or malicious access to the Network Controller REST service.
Please see the recent requests to the Network Controller and ensure that only valid and benign users are accessing the service.
© 2016 Microsoft Corporation, all rights reserved
Target | SDNMonitoringMP.SDNMonitoring.NetworkControllerClusterNode |
Category | PerformanceCollection |
Enabled | True |
Instance Name | Network Controller |
Counter Name | REST Requests Received/sec |
Frequency | 900 |
Alert Generate | False |
Remotable | True |
ID | Module Type | TypeId | RunAs |
---|---|---|---|
DS | DataSource | System.Performance.OptimizedDataProvider | Default |
CollectToDB | WriteAction | Microsoft.SystemCenter.CollectPerformanceData | Default |
CollectToDW | WriteAction | Microsoft.SystemCenter.DataWarehouse.PublishPerformanceData | Default |
<Rule ID="Microsoft.Windows.10.SDNMonitoring.RestRequestPerformanceCollectionRule" Target="SDNMonitoringMP.SDNMonitoring.NetworkControllerClusterNode" Enabled="true" ConfirmDelivery="false" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>PerformanceCollection</Category>
<DataSources>
<DataSource ID="DS" TypeID="Perf!System.Performance.OptimizedDataProvider">
<ComputerName>$Target/Property[Type="SDNMonitoringMP.SDNMonitoring.NetworkControllerClusterNode"]/Id$</ComputerName>
<CounterName>REST Requests Received/sec</CounterName>
<ObjectName>Network Controller</ObjectName>
<InstanceName/>
<AllInstances>false</AllInstances>
<Frequency>900</Frequency>
<Tolerance>0</Tolerance>
<ToleranceType>Absolute</ToleranceType>
<MaximumSampleSeparation>1</MaximumSampleSeparation>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="CollectToDB" TypeID="SC!Microsoft.SystemCenter.CollectPerformanceData"/>
<WriteAction ID="CollectToDW" TypeID="SCDW!Microsoft.SystemCenter.DataWarehouse.PublishPerformanceData"/>
</WriteActions>
</Rule>