Generates an alert when Microsoft Forefront Endpoint Protection client has reported on a cleaned malware.
This rule tracks successful malware cleanup operations.
It is recommended that you keep this rule turned on with the default configuration.
This rule will generate an information alert if the client reports that it successfully cleaned malware.
Target | Microsoft.FEP.ProtectedServer | ||
Category | Custom | ||
Enabled | True | ||
Alert Generate | True | ||
Alert Severity | Information | ||
Alert Priority | Low | ||
Remotable | True | ||
Alert Message |
|
ID | Module Type | TypeId | RunAs |
---|---|---|---|
EventsDS | DataSource | Microsoft.FEP.ProtectedServer.MalwareCleanedEventDS | Default |
GenerateAlert | WriteAction | System.Health.GenerateAlert | Default |
<Rule ID="Microsoft.FEP.MalwareCleanedAlertRule" Enabled="true" Target="FEPLibrary!Microsoft.FEP.ProtectedServer" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>Custom</Category>
<DataSources>
<DataSource ID="EventsDS" TypeID="FEPLibrary!Microsoft.FEP.ProtectedServer.MalwareCleanedEventDS"/>
</DataSources>
<WriteActions>
<WriteAction ID="GenerateAlert" TypeID="Health!System.Health.GenerateAlert">
<Priority>0</Priority>
<Severity>0</Severity>
<AlertMessageId>$MPElement[Name="Microsoft.FEP.MalwareCleanedAlertRule.Alert"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Target/Property[Type="FEPLibrary!Microsoft.FEP.ProtectedServer"]/ServerId$</AlertParameter1>
<AlertParameter2>$Data/Params/Param[4]$</AlertParameter2>
<!-- Detection Time -->
<AlertParameter3>$Data/Params/Param[8]$</AlertParameter3>
<!-- Threat Name -->
<AlertParameter4>$Data/Params/Param[22]$</AlertParameter4>
<!-- Path -->
<AlertParameter5>$Data/Params/Param[13]$</AlertParameter5>
<!-- FW Link -->
<AlertParameter6>$Data/Params/Param[10]$</AlertParameter6>
<!-- Severity -->
<AlertParameter7>$Data/Params/Param[12]$</AlertParameter7>
<!-- Category -->
</AlertParameters>
<Suppression>
<SuppressionValue>$Data/Params/Param[8]$</SuppressionValue>
</Suppression>
</WriteAction>
</WriteActions>
</Rule>