Home
  •  

There might a replay attack on a particular user.

OCS_UserPin_Service_47026_SE (Rule)

Knowledge Base article:

Summary

There might a replay attack on a particular user.

Causes

This could happen because an attacker is trying to use the data sent by another user.

Resolutions

Refer to the logs to see the user who is performing the replay attack and consider disabling the user

Element properties:

TargetMicrosoft_Office_Communications_Server_2007_R2_Standard_Edition
CategoryEventCollection
EnabledTrue
Event_ID47026
Event SourceOCS UserPin Service
Alert GenerateTrue
Alert SeverityError
Alert PriorityNormal
RemotableTrue
Alert Message
There might a replay attack on a particular user.
{0}
Event LogOffice Communications Server

Member Modules:

ID Module Type TypeId RunAs 
CollectEvent DataSource Microsoft.Windows.EventProvider Default
WriteAlert WriteAction System.Health.GenerateAlert Default
WriteToDB WriteAction Microsoft.SystemCenter.CollectEvent Default
WriteToDW WriteAction Microsoft.SystemCenter.DataWarehouse.PublishEventData Default

Source Code:

<Rule ID="OCS_UserPin_Service_47026_SE" Enabled="true" Target="Microsoft_Office_Communications_Server_2007_R2_Standard_Edition" ConfirmDelivery="false" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>EventCollection</Category>

  <DataSources>

    <DataSource ID="CollectEvent" TypeID="SCWindowsLibrary!Microsoft.Windows.EventProvider">

      <ComputerName>$Target/Host/Property[Type="SCWindowsLibrary!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

      <LogName>Office Communications Server</LogName>

      <Expression>

        <And>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery Type="String">PublisherName</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value Type="String">OCS UserPin Service</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value Type="UnsignedInteger">47026</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

        </And>

      </Expression>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="WriteToDB" TypeID="SCSystemLibrary!Microsoft.SystemCenter.CollectEvent"/>

    <WriteAction ID="WriteAlert" TypeID="SCHealth!System.Health.GenerateAlert">

      <Priority>1</Priority>

      <Severity>2</Severity>

      <AlertMessageId>$MPElement[Name="There_might_a_replay_attack_on_a_particular_user_"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/EventDescription$</AlertParameter1>

      </AlertParameters>

      <Suppression>

        <SuppressionValue>$Data/EventDisplayNumber$</SuppressionValue>

        <SuppressionValue>$Data/PublisherName$</SuppressionValue>

      </Suppression>

    </WriteAction>

    <WriteAction ID="WriteToDW" TypeID="SCDataWarehouseLibrary!Microsoft.SystemCenter.DataWarehouse.PublishEventData"/>

  </WriteActions>

</Rule>