There might a replay attack on a particular user.
This could happen because an attacker is trying to use the data sent by another user.
Refer to the logs to see the user who is performing the replay attack and consider disabling the user
Target | Microsoft_Office_Communications_Server_2007_R2_Standard_Edition | ||
Category | EventCollection | ||
Enabled | True | ||
Event_ID | 47026 | ||
Event Source | OCS UserPin Service | ||
Alert Generate | True | ||
Alert Severity | Error | ||
Alert Priority | Normal | ||
Remotable | True | ||
Alert Message |
| ||
Event Log | Office Communications Server |
ID | Module Type | TypeId | RunAs |
---|---|---|---|
CollectEvent | DataSource | Microsoft.Windows.EventProvider | Default |
WriteAlert | WriteAction | System.Health.GenerateAlert | Default |
WriteToDB | WriteAction | Microsoft.SystemCenter.CollectEvent | Default |
WriteToDW | WriteAction | Microsoft.SystemCenter.DataWarehouse.PublishEventData | Default |
<Rule ID="OCS_UserPin_Service_47026_SE" Enabled="true" Target="Microsoft_Office_Communications_Server_2007_R2_Standard_Edition" ConfirmDelivery="false" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="CollectEvent" TypeID="SCWindowsLibrary!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="SCWindowsLibrary!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>Office Communications Server</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">OCS UserPin Service</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">47026</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="WriteToDB" TypeID="SCSystemLibrary!Microsoft.SystemCenter.CollectEvent"/>
<WriteAction ID="WriteAlert" TypeID="SCHealth!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>2</Severity>
<AlertMessageId>$MPElement[Name="There_might_a_replay_attack_on_a_particular_user_"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventDescription$</AlertParameter1>
</AlertParameters>
<Suppression>
<SuppressionValue>$Data/EventDisplayNumber$</SuppressionValue>
<SuppressionValue>$Data/PublisherName$</SuppressionValue>
</Suppression>
</WriteAction>
<WriteAction ID="WriteToDW" TypeID="SCDataWarehouseLibrary!Microsoft.SystemCenter.DataWarehouse.PublishEventData"/>
</WriteActions>
</Rule>