Home
  •  

secRMM ProgramAuthorizationFailure

Squadra.secRMM.ProgramAuthorizationFailure (Rule)

A user attempted to write a file(s) to a 'Removable Media' device but was not authorized because the program used to perform the write operation was not authorized. The write attempt failed.

Knowledge Base article:

Summary

This rule generates an alert because the following two conditions are true: 1. An attempt was made to perform a file write operation to a Removable Media device when there was a secRMM "AllowedPrograms" property defined on the computer. 2. An attempt was made to perform a file write operation to a Removable Media device when the program being used to perform the file write operation was not in the secRMM "AllowedPrograms" property.

Configuration

Modify or remove the secRMM "AllowedPrograms" property on the computer where this alert occurred.

Causes

The program being used to perform the file write operation was not in the secRMM "AllowedPrograms" property.

Resolutions

If you want to allow the program listed in the alert to be able to write to the Removable Media device on the computer, change the secRMM "AllowedPrograms" property to include the program.

Additional

External

Squadra Technologies web site

Element properties:

TargetSquadra.secRMMCentral.Event
CategoryAlert
EnabledTrue
Alert GenerateTrue
Alert SeverityError
Alert PriorityHigh
RemotableTrue
Alert Message
Removable Media Unauthorized Program Failure - secRMM
Event Description: {0}
Event LogsecRMMCentral

Member Modules:

ID Module Type TypeId RunAs 
DS DataSource Microsoft.Windows.EventProvider Default
Alert WriteAction System.Health.GenerateAlert Default
WriteToDB WriteAction Microsoft.SystemCenter.CollectEvent Default
WriteToDW WriteAction Microsoft.SystemCenter.DataWarehouse.PublishEventData Default

Source Code:

<Rule ID="Squadra.secRMM.ProgramAuthorizationFailure" Enabled="true" Target="Squadra.secRMMCentral.Event" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>Alert</Category>

  <DataSources>

    <DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">

      <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

      <LogName>secRMMCentral</LogName>

      <AllowProxying>true</AllowProxying>

      <Expression>

        <SimpleExpression>

          <ValueExpression>

            <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

          </ValueExpression>

          <Operator>Equal</Operator>

          <ValueExpression>

            <Value Type="UnsignedInteger">501</Value>

          </ValueExpression>

        </SimpleExpression>

      </Expression>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">

      <Priority>2</Priority>

      <Severity>2</Severity>

      <AlertName/>

      <AlertDescription/>

      <AlertOwner/>

      <AlertMessageId>$MPElement[Name="Squadra.secRMM.ProgramAuthorizationFailure.AlertMessage"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/EventDescription$</AlertParameter1>

      </AlertParameters>

      <Suppression/>

      <Custom1>$Data/LoggingComputer$</Custom1>

      <Custom2/>

      <Custom3/>

      <Custom4/>

      <Custom5/>

      <Custom6/>

      <Custom7/>

      <Custom8/>

      <Custom9/>

      <Custom10/>

    </WriteAction>

    <WriteAction ID="WriteToDB" TypeID="SC!Microsoft.SystemCenter.CollectEvent"/>

    <WriteAction ID="WriteToDW" TypeID="DataWarehouse!Microsoft.SystemCenter.DataWarehouse.PublishEventData"/>

  </WriteActions>

</Rule>