Condividi tramite

Monitoring Forefront Endpoint Protection 2010 – Customized reports

  • Articolo

In the previous posts, we’ve described the FEP monitoring experience using FEP dashboard, reports and alerts. However, daily security routines often include some more “advanced” scenarios of security investigation.

When looking at malware activity, an administrator may want to consume the raw data from FEP and look at it from different angles. For example, administrators might like to get answers to the following questions:

 

  • Show me “active” malware types in the organization.
    • In this case, “active” might be a malware which was detected in the last day, week or month.
  • Show me “new” malware types in the organization.
    • In this case, “new” refers to a malware type which was detected in the organization for the first time in the last day, week or month.
  • Filter out malware according to severity, category or even action taken.
  • Group detections per computer, user or even process.

In order to support such scenarios, we’ve added a new database view which holds all malware activity detected by FEP. This view can be queried by external tools such as SIEM (Security Information and Event Management) products for longer-term retention, correlation or reporting.

For those administrators who need immediate access to FEP data, we’ve brought the FEP database view together with the Microsoft Excel pivot table feature. With FEP, we are providing an Excel file (FEP-S Reports Sample.xlsx) which can be used to support the scenarios just mentioned. You can download it with the FEP Security Management Pack download (https://www.microsoft.com/downloads/en/details.aspx?FamilyID=ab50ace0-1f68-453a-85bb-61de286ec4c8)

Note: The Excel file was tested using Office 2010. In order to use it you need to have read access to the FEP historical database (or at least to the vwFEP_AM_NormalizedDetectionHistory database view).

In the FEP-S Reports Sample.xlsx workbook, the FEP Detection Log worksheet provides a table of all FEP detections. You may filter, search or sort by any of the provided columns.

Tip: Throughout the spreadsheet, we use a red icon in order to highlight events that have happened in the last 24 hours, and a yellow icon for those events that have happened in the last 7 days.

clip_image002

The FEP Malware Log worksheet provides a pivot view of malware activity per malware type.

Ziv Rafalovich,
Senior Program Manager

Comments

  • Anonymous
    January 01, 2003
    Hi Phil and Troy, Phil - no, there are no custom reports for the Configuration Manager console. Troy - are you running this against your Forefront Endpoint Protection Security Management Pack server? We'll shortly have a spreadsheet out for FEP on Configuration Manager, but this particular file is for the FEP Security Management Pack... Thanks!!

  • Anonymous
    January 17, 2011
    So there is no way to have custom report directly in the Sccm Console?

  • Anonymous
    January 25, 2011
    Does this only work with the RC or will it work with the RTM?  I don't see those tables in my database.