In previous posts, I’ve described the monitoring experience in Forefront Endpoint Protection 2010 (FEP) Release Candidate. Those descriptions includes the FEP dashboard as well as built-in reports. In real life, however, no one expects an administrator to stare at the dashboard and wait for something to happen. Instead, administrators expect to get notified when security incidents are detected.
FEP security alerts are used to detect incidents about which administrators want to get notified. When designing FEP alerts, we’ve used the following guidelines:
Malware was detected on a computer. This alert is triggered based on mitigation.
Navigate to FEP computer details report to identify the malware(s) detected on the computer.
A malware is spreading across the organization. This alert is triggered based on number of detections.
Number of computers detected with the same malware in 24 hours.
Navigate to FEP malware detail report to learn more about the malware and see the list of infected computers.
Repeated Malware Detection
A computer is being repeatedly infected by the same malware. This alert is triggered based on number of repeated detections.
Navigate to FEP computer details report to learn more about the computer as well as the malware
Multiple Malware Detection
A computer is being infected with multiple malware types. This alert is triggered based on number of malware detections on a single computer.
Navigate to FEP computer details report to learn more about the computer as well as the malware types
Tip: In addition to email notifications, FEP alerts are kept as event log entries in the FEP server as well as in the FEP DB. These event logs are useful when alert forwarding is required (e.g. Operations Manager, SNMP).
Ziv Rafalovich, Senior Program Manager