In the previous posts, we’ve described the FEP monitoring experience using FEP dashboard, reports and alerts. However, daily security routines often include some more “advanced” scenarios of security investigation.
When looking at malware activity, an administrator may want to consume the raw data from FEP and look at it from different angles. For example, administrators might like to get answers to the following questions:
In order to support such scenarios, we’ve added a new database view which holds all malware activity detected by FEP. This view can be queried by external tools such as SIEM (Security Information and Event Management) products for longer-term retention, correlation or reporting.
For those administrators who need immediate access to FEP data, we’ve brought the FEP database view together with the Microsoft Excel pivot table feature. With FEP, we are providing an Excel file (FEP-S Reports Sample.xlsx) which can be used to support the scenarios just mentioned. You can download it with the FEP Security Management Pack download (http://www.microsoft.com/downloads/en/details.aspx?FamilyID=ab50ace0-1f68-453a-85bb-61de286ec4c8)
Note: The Excel file was tested using Office 2010. In order to use it you need to have read access to the FEP historical database (or at least to the vwFEP_AM_NormalizedDetectionHistory database view).
In the FEP-S Reports Sample.xlsx workbook, the FEP Detection Log worksheet provides a table of all FEP detections. You may filter, search or sort by any of the provided columns.
Tip: Throughout the spreadsheet, we use a red icon in order to highlight events that have happened in the last 24 hours, and a yellow icon for those events that have happened in the last 7 days.
The FEP Malware Log worksheet provides a pivot view of malware activity per malware type.
Ziv Rafalovich, Senior Program Manager
So there is no way to have custom report directly in the Sccm Console?
Does this only work with the RC or will it work with the RTM? I don't see those tables in my database.
Hi Phil and Troy,
Phil - no, there are no custom reports for the Configuration Manager console.
Troy - are you running this against your Forefront Endpoint Protection Security Management Pack server? We'll shortly have a spreadsheet out for FEP on Configuration Manager, but this particular file is for the FEP Security Management Pack...