Security Monitoring: Collect SMBv1 Connections

Security.Monitoring.Collect.SMBv1Connections (Rule)

Description for the new rule

Element properties:

Target	Microsoft.Windows.Server.OperatingSystem
Category	None
Enabled	True
Alert Generate	False
Remotable	True

Member Modules:

ID	Module Type	TypeId	RunAs
DS	DataSource	Security.Monitoring.SMBv1Connections.DS	Default
CD	ConditionDetection	System.Event.GenericDataMapper	Default
DB	WriteAction	Microsoft.SystemCenter.CollectEvent	Default
DW	WriteAction	Microsoft.SystemCenter.DataWarehouse.PublishEventData	Default

Source Code:

<Rule ID="Security.Monitoring.Collect.SMBv1Connections" Target="Windows!Microsoft.Windows.Server.OperatingSystem" Enabled="true" ConfirmDelivery="false" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>None</Category>

  <DataSources>

    <DataSource ID="DS" TypeID="Security.Monitoring.SMBv1Connections.DS">

      <IntervalSeconds>600</IntervalSeconds>

      <SyncTime/>

      <TimeOut>300</TimeOut>

    </DataSource>

  </DataSources>

  <ConditionDetection ID="CD" TypeID="System!System.Event.GenericDataMapper">

    <EventOriginId>$Target/Id$</EventOriginId>

    <PublisherId>$MPElement$</PublisherId>

    <PublisherName>SMBv1</PublisherName>

    <Channel>SMBv1</Channel>

    <LoggingComputer/>

    <EventNumber>911</EventNumber>

    <EventCategory>3</EventCategory>

    <EventLevel>0</EventLevel>

    <UserName/>

    <Params/>

  </ConditionDetection>

  <WriteActions>

    <WriteAction ID="DW" TypeID="SCDW!Microsoft.SystemCenter.DataWarehouse.PublishEventData"/>

    <WriteAction ID="DB" TypeID="SystemCenter!Microsoft.SystemCenter.CollectEvent"/>

  </WriteActions>

</Rule>