Monitoring Forefront Endpoint Protection 2010 – Security alerts

  • Article

In previous posts, I’ve described the monitoring experience in Forefront Endpoint Protection 2010 (FEP) Release Candidate. Those descriptions includes the FEP dashboard as well as built-in reports. In real life, however, no one expects an administrator to stare at the dashboard and wait for something to happen. Instead, administrators expect to get notified when security incidents are detected.

FEP security alerts are used to detect incidents about which administrators want to get notified. When designing FEP alerts, we’ve used the following guidelines:

  1. Important – Administrators should be actively notified on FEP alerts (by email notification).
  2. Actionable – There should be a recommended action associated with each alert.
  3. Timely – Administrators should be notified on security incidents in a timely manner.
  4. Manageable – Enable administrators to control the number of alerts issued per day.
  5. Correct – Avoid false positives by providing threshold based alerts
The following alert types are provided with FEP 2010:

Alert Name

Scenario

Configuration

Recommended action

Malware Detection

Malware was detected on a computer. This alert is triggered based on mitigation. 
  • Collection to monitor
  • Detection level (sensitivity) based on the result of FEP mitigation.

Navigate to FEP computer details report to identify the malware(s) detected on the computer.

Malware Outbreak

A malware is spreading across the organization. This alert is triggered based on number of detections.

Number of computers detected with the same malware in 24 hours.

Navigate to FEP malware detail report to learn more about the malware and see the list of infected computers.

Repeated Malware Detection

A computer is being repeatedly infected by the same malware. This alert is triggered based on number of repeated detections.
  • Collection to monitor
  • Number of repeated detections
  • Time interval for detection

Navigate to FEP computer details report to learn more about the computer as well as the malware

Multiple Malware Detection

A computer is being infected with multiple malware types. This alert is triggered based on number of malware detections on a single computer. 
  • Collection to monitor
  • Number of different malware types
  • Time interval for detection

Navigate to FEP computer details report to learn more about the computer as well as the malware types

Tip: In addition to email notifications, FEP alerts are kept as event log entries in the FEP server as well as in the FEP DB. These event logs are useful when alert forwarding is required (e.g. Operations Manager, SNMP).

clip_image002

Ziv Rafalovich,
Senior Program Manager