Device Protection with Microsoft

Endpoint Manager and Microsoft

Defender for Endpoint

Module 06 : Endpoint Protection

Alerts and Reporting

Microsoft Services
V04.21-2010
Module Overview
• Alerts in Endpoint Protection
• Endpoint Protection Reporting
• Endpoint Protection Monitoring
• Lab 06: Endpoint Protection Alert, Report and
Notification System
Module 06: Endpoint Protection
Alerts and Reporting

Alerts in Endpoint Protection

Microsoft Confidential
Alerts in Endpoint Protection
Alerts Overview:
• Alert levels prioritize response to viruses, spyware and
other potentially unwanted software threats.
• Configurable per collection from Configuration Manager
Console
• Allows to include certain collection to Endpoint
Protection dashboard
• Notify administrators of specific security events.
• Notifications can be displayed in the Endpoint Protection Dashboard.
• Can configure notifications to be emailed to specified recipients.
• Enforce security permission required for Collections to configure
Endpoint Protection alerts.
Alerts in Endpoint Protection
Alert Types
• One single-instance alert type:
Malware Outbreak
• Three multi-instance alert types:
• Malware Detection
• Repeated Malware Detection
• Multiple Malware Detection
• It is possible to target different
Collections, with different thresholds
and notify different Administrators.
Alerts in Endpoint Protection
Alert: Malware Outbreak
Trigger:
This alert is generated if specified malware is detected on a specified percentage of computers in
the Collection that you monitor.
Threshold:
Percentage of computers with malware detected—the alert is generated when the percentage of
computers with malware that is detected in the Collection exceeds the percentage that you
specify. Specify value 1%-99%.
Response:
• Malware details report
• Identify Endpoint Protection mitigation
• Scope the infection
• Research the malware
Alerts in Endpoint Protection
Alert: Repeated Malware Detection
Trigger:
This alert is generated if specific malware is detected more than a specified number
of times over a specified number of hours on the computers in the Collection that
you monitor.
Thresholds:
• Number of detections
• Time interval
Response:
• Review Malware details report.
• Drill down Computer details report.
• Research the malware and computer.
Alerts in Endpoint Protection
Alert: Multiple Malware Detection
Trigger:
This alert is generated if more than a specified number of malware types are
detected over a specified number of hours on computers in the Collection that you
monitor.
Thresholds:
• Number of detections
• Time interval
Response:
• Review Malware details report
• Drill down into Computer details report
• Research the malware and computer
Alerts in Endpoint Protection
Steps to Configure Alerts
Step 1 (Optional): Configure email settings for alerts. Before you can configure email subscriptions for alerts, you must
configure an SMTP server in your hierarchy. An SMTP server can
only be specified at the top-level site of your Configuration
Manager hierarchy.

Step 2: Configure alerts by Collection. Configure the properties of a device Collection and specify
settings for alerts.

Step 3 (Optional): Configure email subscriptions for specific Select the Endpoint Protection alerts in the Monitoring
alerts. workspace and create subscriptions by specifying email
addresses to send the Endpoint Protection alerts.
Module 06: Endpoint Protection
Alerts and Reporting

Endpoint Protection Reporting

Microsoft Confidential
Endpoint Protection Reporting
• Support the Security Administrator role with:
• Basic investigation capabilities
• Basic compliance capabilities
• Built using SQL Reporting services that are:
• Accessed from browser
• Export to other formats.
• Subscriptions (email and link to share).
• Extensible:
• Published schema—create custom reports.
• https://docs.microsoft.com/en-us/mem/configmgr/develop/core/understand/sqlviews/en
dpoint-protection-views-configuration-manager
• https://techcommunity.microsoft.com/t5/configuration-manager-archive/building-custom-
endpoint-protection-reports-in-system-center/ba-p/273056
Endpoint Protection Reporting
Open EP reporting
• Navigate to: Monitoring\Overview\Reporting\Reports.
• Locate your SCEP reports.
• Endpoint Protection Manager role required to view reports.
• Read-only Analyst role might be used as well to run related reports
• Administrator account, quickly filter the long list of available reports using
key word Endpoint in the search field.
Endpoint Protection Reporting
Rich Reporting and Analysis

• SQL Reporting Services-based reports on many categories.

• User-centric reports enable identification of commonly impacted users.
• Customizable reports.
Endpoint Protection Reporting
EP Reports
Computer Reports
• Computer Malware Details: provides details about a particular computer
and the history of malware detected on it.
• Infected Computers: provides a list of computers with a particular specified
threat detected.
User Reports
• Top Users By Threat: provides a list of users with the highest number of
detected threats.
• User Threat List: provides a list of threats detected under a specified user
account.
Endpoint Protection Reporting
EP Reports
Management Level Reporting
• Antimalware Activity Report - provides
malware activity information of specified
Collections between specified dates
• Antimalware overall status and history -
overall and historical status for
protection, malware remediation,
operational activities, updates
definitions, policies application
Module 06: Endpoint Protection
Alerts and Reporting

Endpoint Protection Monitoring

Microsoft Confidential
Endpoint Protection Monitoring
Endpoint Protection Status:
• Microsoft Defender Status
• Malware detected

• Quick alerts and event notification in the console.

• Uses high speed data channel to notify the events in real-time.
• Integrated monitoring for client health and antimalware status.
• Email subscription for alerts.
Endpoint Protection Monitoring
Microsoft Defender Status Dashboard
• Overall Endpoint Protection security state and status
history.
• Malware remediation status and status history.
• Operational status and status history of Endpoint
Protection clients.
• Definition status and status history on computers.
• Antimalware Policy Application status and status
history on computers.
Malware detected
• List of detected malware per collection
• Remediation state per collection
Knowledge Measure
1. How is it possible to receive Endpoint Protections alerts?
2. What types of Alerts are available for Endpoint Protection?
3. How is it possible to create your own Endpoint Protection
Reports?
Module Summary
We have discussed:
• Alerts in Endpoint Protection
• Endpoint Protection Reporting
• Endpoint Protection Monitoring
Lab 06: Endpoint Protection
Alert, Report and Notification
System
• Exercise 1: Using the Built-In
Reports.
• Exercise 2: Configure Alerts by
Collection.
• Exercise 3: Configure Email
Subscriptions for Specific Alerts.
• Exercise 4: Monitor Endpoint
Protection Client Health Status.
© 2015 Microsoft Corporation. All rights reserved.