Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SCProtectionAlert: failed to restore due to invalid argument #3224

Closed
leitzler opened this issue Apr 26, 2023 · 2 comments · Fixed by #3391 or #3410
Closed

SCProtectionAlert: failed to restore due to invalid argument #3224

leitzler opened this issue Apr 26, 2023 · 2 comments · Fixed by #3391 or #3410
Labels
Bug Something isn't working Security & Compliance Center

Comments

@leitzler
Copy link

Details of the scenario you tried and the problem that is occurring

I exported a clean developer tenant with default sample data (https://developer.microsoft.com/en-us/microsoft-365/dev-program).

Then disabled the "Reply-all storm detection" in exchange admin center, and tried to run a restore of the full snapshot. It fails when restoring SCProtectionAlert:

VERBOSE: [701AE4068A8E]: LCM:  [ Start  Resource ]  [[SCProtectionAlert]SCProtectionAlert-Reply-all storm detected]
VERBOSE: [701AE4068A8E]: LCM:  [ Start  Test     ]  [[SCProtectionAlert]SCProtectionAlert-Reply-all storm detected]
VERBOSE: [701AE4068A8E]: LCM:  [ End    Test     ]  [[SCProtectionAlert]SCProtectionAlert-Reply-all storm detected]  in 0.0010 seconds.
PowerShell DSC resource MSFT_SCProtectionAlert  failed to execute Test-TargetResource functionality with error message: Cannot validate argument on parameter 'Threshold'. The 1 argument is less than the minimum
allowed range of 3. Supply an argument that is greater than or equal to 3 and then try the command again.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : ProviderOperationExecutionFailure
    + PSComputerName        : localhost

The value it tries to restore:

        SCProtectionAlert "SCProtectionAlert-Reply-all storm detected"
        {
            AggregationType         = "CustomAggregation";
            ApplicationId           = $ConfigurationData.NonNodeData.ApplicationId;
            Category                = "MailFlow";
            CertificateThumbprint   = $ConfigurationData.NonNodeData.CertificateThumbprint;
            Comment                 = "This alert is triggered when a reply-all storm is detected and at least one reply-all to the mail thread has been blocked. See the Reply-all Storm Protection mail flow report for more information. -V1.0.0.0";
            Disabled                = $False;
            Ensure                  = "Present";
            Filter                  = "Message.Verdict -eq 'Block'";
            Name                    = "Reply-all storm detected";
            NotificationEnabled     = $True;
            NotifyUser              = @("TenantAdmins");
            NotifyUserOnFilterMatch = $False;
            Severity                = "High";
            TenantId                = $ConfigurationData.NonNodeData.TenantId;
            ThreatType              = "MailFlow";
            Threshold               = 1;
        }

Verbose logs showing the problem

See above.

Suggested solution to the issue

N/A

The DSC configuration that is used to reproduce the issue (as detailed as possible)

Using Windows Server Core container, mcr.microsoft.com/windows/servercore:1809-amd64.

Install-PackageProvider -Name NuGet -Force
Install-Module Microsoft365DSC -Force
Update-M365DSCDependencies

The operating system the target node is running

OsName               : Microsoft Windows Server 2019 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 1809
WindowsBuildLabEx    : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

$PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.17763.3770
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.17763.3770
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version of the DSC module that was used ('dev' if using current dev branch)

1.23.412.1 Microsoft365DSC                     PSGallery            This DSC module is used to configure and monitor Microsoft tenants, including SharePoint Online, Exchange, Teams, etc.
@NikCharlebois
Copy link
Collaborator

Interesting that the exported threshold is 1. Based on the official documentation, this needs to be a number greater or equal to 3:
https://learn.microsoft.com/en-us/powershell/module/exchange/new-protectionalert?view=exchange-ps#-threshold

@NikCharlebois
Copy link
Collaborator

I believe that we should prevent the export from capturing system rules.
image

Based on the documentation these cannot be modified anyway.
https://learn.microsoft.com/en-us/powershell/module/exchange/set-protectionalert?view=exchange-ps

NikCharlebois added a commit to NikCharlebois/Microsoft365DSC that referenced this issue Jun 16, 2023
@NikCharlebois
Fixes microsoft#3224
053ecf0
@NikCharlebois NikCharlebois mentioned this issue Jun 16, 2023
Merged
NikCharlebois added a commit that referenced this issue Jun 16, 2023
@NikCharlebois
Merge pull request #3391 from NikCharlebois/Fix
4a27ecc 
Fixes #3224
@martincaddick martincaddick mentioned this issue Jun 19, 2023
Closed
@NikCharlebois NikCharlebois mentioned this issue Jun 22, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Something isn't working Security & Compliance Center
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixes #3224 NikCharlebois/Microsoft365DSC
Release 1.23.621.1 NikCharlebois/Microsoft365DSC
3 participants
@NikCharlebois @leitzler @andikrueger