Génère une alerte lorsque le client System Center Endpoint Protection 2012 a signalé un logiciel malveillant nettoyé.
Cette règle effectue le suivi des opérations réussies de nettoyage des logiciels malveillants.
Il est recommandé de laisser cette règle activée avec la configuration par défaut.
Cette règle génère une alerte si le client signale qu'il est parvenu à nettoyer le logiciel malveillant.
Target | Microsoft.SCEP.Linux.ProtectedServer |
Category | SecurityHealth |
Enabled | True |
Alert Generate | True |
Remotable | True |
ID | Module Type | TypeId | RunAs |
---|---|---|---|
SCXLog | DataSource | Microsoft.SCEP.Linux.SCXLog.MalwareEvent.DS | Default |
Mapper | ConditionDetection | System.Event.GenericDataMapper | Default |
Alert | WriteAction | System.Health.GenerateAlert | Default |
<Rule ID="Microsoft.SCEP.Linux.MalwareCleanedAlertRule" Enabled="true" Target="SCEPLinuxLibrary!Microsoft.SCEP.Linux.ProtectedServer" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>SecurityHealth</Category>
<DataSources>
<DataSource ID="SCXLog" TypeID="SCEPLinuxLibrary!Microsoft.SCEP.Linux.SCXLog.MalwareEvent.DS">
<Host>$Target/Host/Property[Type="Unix!Microsoft.Unix.Computer"]/NetworkName$</Host>
<LogFile>/var/log/scep/eventlog_scom.dat</LogFile>
<RegExpFilter>^event=malware, .*status=clean.*$</RegExpFilter>
</DataSource>
</DataSources>
<ConditionDetection ID="Mapper" TypeID="System!System.Event.GenericDataMapper">
<EventOriginId>$MPElement$</EventOriginId>
<PublisherId>$MPElement$</PublisherId>
<PublisherName>System Center 2012 Endpoint Protection for Unix/Linux</PublisherName>
<Channel>Application</Channel>
<LoggingComputer>$Target/Host/Property[Type="Unix!Microsoft.Unix.Computer"]/NetworkName$</LoggingComputer>
<EventNumber>4001</EventNumber>
<EventCategory>0</EventCategory>
<EventLevel>1</EventLevel>
<UserName/>
<Params/>
</ConditionDetection>
<WriteActions>
<WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">
<Priority>$Data/EventData/DataItem/Property[@Name='AlertPriority']$</Priority>
<Severity>$Data/EventData/DataItem/Property[@Name='AlertSeverity']$</Severity>
<AlertMessageId>$MPElement[Name="AlertMessageIDdbc3762134394677bf2d86b384524b21"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Target/Property[Type="SCEPLinuxLibrary!Microsoft.SCEP.Linux.ProtectedServer"]/ComputerId$</AlertParameter1>
<AlertParameter2>$Data/EventData/DataItem/Property[@Name='DetectionTime']$</AlertParameter2>
<AlertParameter3>$Data/EventData/DataItem/Property[@Name='MalwareName']$</AlertParameter3>
<AlertParameter4>$Data/EventData/DataItem/Property[@Name='MalwareLocation']$</AlertParameter4>
<AlertParameter5>$Data/EventData/DataItem/Property[@Name='MalwareSeverity']$</AlertParameter5>
<AlertParameter6>$Data/EventData/DataItem/Property[@Name='MalwareCategory']$</AlertParameter6>
</AlertParameters>
<Suppression>
<SuppressionValue>$Data/EventData/DataItem/Property[@Name='MalwareName']$</SuppressionValue>
</Suppression>
</WriteAction>
</WriteActions>
</Rule>