Home
  •  

secRMM DeviceFileWriteStart

Squadra.secRMM.FileWriteStart (Rule)

A file write operation to a 'Removable Media' device has started.

Knowledge Base article:

Summary

This rule generates an alert when a file write to a Removable Media device starts.

Configuration

You may want to disable this rule if you have specific computers that use Removable Media devices often. Disabling this rule for those computers will minimize the alerts in the Operations Manager console.

Causes

A file write operation to a Removable Media device has started.

Resolutions

secRMM allows you to control who and what program can write to a Removable Media device for a particular computer. Please read the secRMM Administrators Guide (see External link below) section "Enabling Authorization" to apply authorization control on the Removable Media devices.

Additional

External

Squadra Technologies web site

Element properties:

TargetSquadra.secRMMCentral.Event
CategoryAlert
EnabledTrue
Alert GenerateTrue
Alert SeverityWarning
Alert PriorityNormal
RemotableTrue
Alert Message
File Write to Removable Media Device started - secRMM
Event Description: {0}
Event LogsecRMMCentral

Member Modules:

ID Module Type TypeId RunAs 
DS DataSource Microsoft.Windows.EventProvider Default
Alert WriteAction System.Health.GenerateAlert Default
WriteToDB WriteAction Microsoft.SystemCenter.CollectEvent Default
WriteToDW WriteAction Microsoft.SystemCenter.DataWarehouse.PublishEventData Default

Source Code:

<Rule ID="Squadra.secRMM.FileWriteStart" Enabled="true" Target="Squadra.secRMMCentral.Event" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>Alert</Category>

  <DataSources>

    <DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">

      <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

      <LogName>secRMMCentral</LogName>

      <AllowProxying>true</AllowProxying>

      <Expression>

        <SimpleExpression>

          <ValueExpression>

            <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

          </ValueExpression>

          <Operator>Equal</Operator>

          <ValueExpression>

            <Value Type="UnsignedInteger">401</Value>

          </ValueExpression>

        </SimpleExpression>

      </Expression>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">

      <Priority>1</Priority>

      <Severity>1</Severity>

      <AlertName/>

      <AlertDescription/>

      <AlertOwner/>

      <AlertMessageId>$MPElement[Name="Squadra.secRMM.FileWriteStart.AlertMessage"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/EventDescription$</AlertParameter1>

      </AlertParameters>

      <Suppression/>

      <Custom1>$Data/LoggingComputer$</Custom1>

      <Custom2/>

      <Custom3/>

      <Custom4/>

      <Custom5/>

      <Custom6/>

      <Custom7/>

      <Custom8/>

      <Custom9/>

      <Custom10/>

    </WriteAction>

    <WriteAction ID="WriteToDB" TypeID="SC!Microsoft.SystemCenter.CollectEvent"/>

    <WriteAction ID="WriteToDW" TypeID="DataWarehouse!Microsoft.SystemCenter.DataWarehouse.PublishEventData"/>

  </WriteActions>

</Rule>