An attempt was made to copy a file to a 'Removable Media' device where the file being copied was not Microsoft RMS protected.
This rule generates an alert because the following condition is true: 1. An attempt was made to copy a file(s) to a "Removable Media" device when the file being copies was not protected by Microsoft RMS and the secRMM "AllowRMSFilesOnly" property was defined on the computer.
Before copying the file to removable media, protect the file using Microsoft RMS. You can also remove the secRMM "AllowRMSFilesOnly" property on the computer where this alert occurred.
Copying files that are not protected by Microsoft RMS to a "Removable Media" device is not allowed on the computer because the secRMM "AllowRMSFilesOnly" property is currently set on the computer.
Protect the file using Microsoft RMS and/or clear the secRMM "AllowRMSFilesOnly" property.
Target | Squadra.secRMM.Event | ||
Category | Alert | ||
Enabled | True | ||
Alert Generate | True | ||
Alert Severity | Error | ||
Alert Priority | High | ||
Remotable | True | ||
Alert Message |
| ||
Event Log | secRMM |
ID | Module Type | TypeId | RunAs |
---|---|---|---|
DS | DataSource | Microsoft.Windows.EventProvider | Default |
Alert | WriteAction | System.Health.GenerateAlert | Default |
WriteToDB | WriteAction | Microsoft.SystemCenter.CollectEvent | Default |
WriteToDW | WriteAction | Microsoft.SystemCenter.DataWarehouse.PublishEventData | Default |
<Rule ID="Squadra.secRMM.AllowRMSFilesOnly" Enabled="true" Target="Squadra.secRMM.Event" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>Alert</Category>
<DataSources>
<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>secRMM</LogName>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">515</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">
<Priority>2</Priority>
<Severity>2</Severity>
<AlertName/>
<AlertDescription/>
<AlertOwner/>
<AlertMessageId>$MPElement[Name="Squadra.secRMM.AllowRMSFilesOnly.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventDescription$</AlertParameter1>
</AlertParameters>
<Suppression/>
<Custom1/>
<Custom2/>
<Custom3/>
<Custom4/>
<Custom5/>
<Custom6/>
<Custom7/>
<Custom8/>
<Custom9/>
<Custom10/>
</WriteAction>
<WriteAction ID="WriteToDB" TypeID="SC!Microsoft.SystemCenter.CollectEvent"/>
<WriteAction ID="WriteToDW" TypeID="DataWarehouse!Microsoft.SystemCenter.DataWarehouse.PublishEventData"/>
</WriteActions>
</Rule>