How to Configure Alerts for Endpoint Protection in Configuration Manager
Updated: May 14, 2015
Applies To: System Center 2012 R2 Endpoint Protection, System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 Endpoint Protection SP1, System Center 2012 Endpoint Protection, System Center 2012 R2 Configuration Manager SP1
You can configure Endpoint Protection alerts in Microsoft System Center 2012 Configuration Manager to notify administrative users when specific security events occur in your hierarchy. Notifications display in the Endpoint Protection dashboard in the Configuration Manager console, in reports, and you can configure them to be emailed to specified recipients.
Use the following steps and the supplemental procedures in this topic to configure alerts for Endpoint Protection in Configuration Manager.
Important
You must have the Enforce Security permission for collections to configure Endpoint Protection alerts.
Steps to Configure Alerts for Endpoint Protection in Configuration Manager
Use the following table for the steps, details, and more information about how to configure alerts for Endpoint Protection.
Steps |
Details |
More information |
|---|---|---|
Step 1 (Optional): Configure email settings for alerts. |
Before you can configure email subscriptions for alerts, you must configure an SMTP server in your hierarchy. An SMTP server can only be specified at the top-level site of your Configuration Manager hierarchy. |
For more details, see Configuring Alerts in Configuration Manager. |
Step 2: Configure alerts by collection. |
Configure the properties of a device collection and specify settings for alerts. |
For more details, see Step 2: Configure Alerts by Collection in this topic. |
Step 3 (Optional): Configure email subscriptions for specific alerts. |
Select the Endpoint Protection alerts in the Monitoring workspace, and create subscriptions by specifying email addresses to send the Endpoint Protection alerts. |
For more details, see Configuring Alerts in Configuration Manager. |
Supplemental Procedures to Configure Endpoint Protection in Configuration Manager
Use the following information when the steps in the preceding table require supplemental procedures. These procedures configure the alerts for Endpoint Protection.
Step 2: Configure Alerts by Collection
-
In the Configuration Manager console, click Assets and Compliance.
-
In the Assets and Compliance workspace, click Device Collections.
-
In the Device Collections list, select the collection for which you want to configure alerts, and then on the Home tab, in the Properties group, click Properties.
Note
You cannot configure alerts for user collections.
-
On the Alerts tab of the <Collection Name> Properties dialog box, select View this collection in the Endpoint Protection dashboard if you want to view details about antimalware operations for this collection in the Monitoring workspace of the Configuration Manager console.
Note
This option is unavailable for the All Systems collection.
-
On the Alerts tab of the <Collection Name> Properties dialog box, click Add.
-
In the Add New Collection Alerts dialog box, in the Generate an alert when these conditions apply section, select the alerts that you want Configuration Manager to generate when the specified Endpoint Protection events occur, and then click OK.
-
In the Conditions list of the Alerts tab, select each Endpoint Protection alert, and then specify the following information:
- **Alert Name** – Accept the default name or enter a new name for the alert. - **Alert Severity** – In the list, select the alert level to display in the Configuration Manager console.Depending on the alert that you select, specify the following additional information.
Alert name
Additional information required
Malware detection
This alert is generated if malware is detected on any computer in the collection that you monitor.
Specify the following information to configure this alert:
Malware detection threshold: - specifies the malware detection levels at which this alert is generated. In the list, select one of the following:
High – All detections - The alert is generated when there are one or more computers in the specified collection on which any malware is detected, regardless of what action the Endpoint Protection client takes.
Medium – Detected, pending action - The alert is generated when there is one or more computers in the specified collection on which malware is detected, and you must manually remove the malware.
Low – Detected, still active - The alert is generated when there are one or more computers in the specified collection on which malware is detected and is still active.
Malware outbreak
This alert is generated if specified malware is detected on a specified percentage of computers in the collection that you monitor.
Specify the following information to configure this alert:
Percentage of computers with malware detected – The alert is generated when the percentage of computers with malware that is detected in the collection exceeds the percentage that you specify. Specify a percentage from 1 through 99.
Note
The percentage value is based on the number of computers in the collection, but excludes computers that do not have a Configuration Manager client installed. It includes computers that do not yet have the Endpoint Protection client installed.
Repeated malware detection
This alert is generated if specific malware is detected more than a specified number of times over a specified number of hours on the computers in the collection that you monitor.
Specify the following information to configure this alert:
Number of times malware has been detected: - The alert is generated when the same malware is detected on computers in the collection more than the specified number of times. Specify a number from 2 through 32.
Interval for detection (hours): Specify the detection interval (in hours) in which the number of malware detections must occur. Specify a number from 1 through 168.
Multiple malware detection
This alert is generated if more than a specified number of malware types are detected over a specified number of hours on computers in the collection that you monitor.
Specify the following information to configure this alert:
Number of malware types detected: The alert is generated when the specified number of different malware types are detected on computers in the collection. Specify a number from 2 through 32.
Interval for detection (hours): Specify the detection interval, in hours, in which the number of malware detections must occur. Specify a number from 1 through 168.
-
Click OK to close the <Collection Name> Properties dialog box.