Security Monitoring: Collect SMBv1 Connections
Security.Monitoring.Collect.SMBv1Connections (Rule)
Description for the new rule
Element properties:
Member Modules:
Source Code:
<Rule ID="Security.Monitoring.Collect.SMBv1Connections" Target="Windows!Microsoft.Windows.Server.OperatingSystem" Enabled="true" ConfirmDelivery="false" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>None</Category>
<DataSources>
<DataSource ID="DS" TypeID="Security.Monitoring.SMBv1Connections.DS">
<IntervalSeconds>600</IntervalSeconds>
<SyncTime/>
<TimeOut>300</TimeOut>
</DataSource>
</DataSources>
<ConditionDetection ID="CD" TypeID="System!System.Event.GenericDataMapper">
<EventOriginId>$Target/Id$</EventOriginId>
<PublisherId>$MPElement$</PublisherId>
<PublisherName>SMBv1</PublisherName>
<Channel>SMBv1</Channel>
<LoggingComputer/>
<EventNumber>911</EventNumber>
<EventCategory>3</EventCategory>
<EventLevel>0</EventLevel>
<UserName/>
<Params/>
</ConditionDetection>
<WriteActions>
<WriteAction ID="DW" TypeID="SCDW!Microsoft.SystemCenter.DataWarehouse.PublishEventData"/>
<WriteAction ID="DB" TypeID="SystemCenter!Microsoft.SystemCenter.CollectEvent"/>
</WriteActions>
</Rule>