A user attempted to write a file(s) to a 'Removable Media' device but was not authorized because the program used to perform the write operation was not authorized. The write attempt failed.
This rule generates an alert because the following two conditions are true: 1. An attempt was made to perform a file write operation to a Removable Media device when there was a secRMM "AllowedPrograms" property defined on the computer. 2. An attempt was made to perform a file write operation to a Removable Media device when the program being used to perform the file write operation was not in the secRMM "AllowedPrograms" property.
Modify or remove the secRMM "AllowedPrograms" property on the computer where this alert occurred.
The program being used to perform the file write operation was not in the secRMM "AllowedPrograms" property.
If you want to allow the program listed in the alert to be able to write to the Removable Media device on the computer, change the secRMM "AllowedPrograms" property to include the program.
Target | Squadra.secRMM.Event | ||
Category | Alert | ||
Enabled | True | ||
Alert Generate | True | ||
Alert Severity | Error | ||
Alert Priority | High | ||
Remotable | True | ||
Alert Message |
| ||
Event Log | secRMM |
ID | Module Type | TypeId | RunAs |
---|---|---|---|
DS | DataSource | Microsoft.Windows.EventProvider | Default |
Alert | WriteAction | System.Health.GenerateAlert | Default |
<Rule ID="Squadra.secRMM.ProgramAuthorizationFailure" Enabled="true" Target="Squadra.secRMM.Event" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>Alert</Category>
<DataSources>
<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>secRMM</LogName>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">501</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">
<Priority>2</Priority>
<Severity>2</Severity>
<AlertName/>
<AlertDescription/>
<AlertOwner/>
<AlertMessageId>$MPElement[Name="Squadra.secRMM.ProgramAuthorizationFailure.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventDescription$</AlertParameter1>
</AlertParameters>
<Suppression/>
<Custom1/>
<Custom2/>
<Custom3/>
<Custom4/>
<Custom5/>
<Custom6/>
<Custom7/>
<Custom8/>
<Custom9/>
<Custom10/>
</WriteAction>
</WriteActions>
</Rule>