Home
  •  

Malware Cleaned Alert Rule

Microsoft.SCEP.Linux.MalwareCleanedAlertRule (Rule)

Generates an alert when System Center 2012 Endpoint Protection client has reported on a cleaned malware.

Knowledge Base article:

Summary

This rule tracks successful malware cleanup operations.

Configuration

It is recommended that you keep this rule turned on with the default configuration.

Causes

This rule will generate an information alert if the client reports that it successfully cleaned malware.

Element properties:

TargetMicrosoft.SCEP.Linux.ProtectedServer
CategorySecurityHealth
EnabledTrue
Alert GenerateTrue
RemotableTrue

Member Modules:

ID Module Type TypeId RunAs 
SCXLog DataSource Microsoft.SCEP.Linux.SCXLog.MalwareEvent.DS Default
Mapper ConditionDetection System.Event.GenericDataMapper Default
Alert WriteAction System.Health.GenerateAlert Default

Source Code:

<Rule ID="Microsoft.SCEP.Linux.MalwareCleanedAlertRule" Enabled="true" Target="SCEPLinuxLibrary!Microsoft.SCEP.Linux.ProtectedServer" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>SecurityHealth</Category>

  <DataSources>

    <DataSource ID="SCXLog" TypeID="SCEPLinuxLibrary!Microsoft.SCEP.Linux.SCXLog.MalwareEvent.DS">

      <Host>$Target/Host/Property[Type="Unix!Microsoft.Unix.Computer"]/NetworkName$</Host>

      <LogFile>/var/log/scep/eventlog_scom.dat</LogFile>

      <RegExpFilter>^event=malware, .*status=clean.*$</RegExpFilter>

    </DataSource>

  </DataSources>

  <ConditionDetection ID="Mapper" TypeID="System!System.Event.GenericDataMapper">

    <EventOriginId>$MPElement$</EventOriginId>

    <PublisherId>$MPElement$</PublisherId>

    <PublisherName>System Center 2012 Endpoint Protection for Unix/Linux</PublisherName>

    <Channel>Application</Channel>

    <LoggingComputer>$Target/Host/Property[Type="Unix!Microsoft.Unix.Computer"]/NetworkName$</LoggingComputer>

    <EventNumber>4001</EventNumber>

    <EventCategory>0</EventCategory>

    <EventLevel>1</EventLevel>

    <UserName/>

    <Params/>

  </ConditionDetection>

  <WriteActions>

    <WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">

      <Priority>$Data/EventData/DataItem/Property[@Name='AlertPriority']$</Priority>

      <Severity>$Data/EventData/DataItem/Property[@Name='AlertSeverity']$</Severity>

      <AlertMessageId>$MPElement[Name="AlertMessageIDdbc3762134394677bf2d86b384524b21"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Target/Property[Type="SCEPLinuxLibrary!Microsoft.SCEP.Linux.ProtectedServer"]/ComputerId$</AlertParameter1>

        <AlertParameter2>$Data/EventData/DataItem/Property[@Name='DetectionTime']$</AlertParameter2>

        <AlertParameter3>$Data/EventData/DataItem/Property[@Name='MalwareName']$</AlertParameter3>

        <AlertParameter4>$Data/EventData/DataItem/Property[@Name='MalwareLocation']$</AlertParameter4>

        <AlertParameter5>$Data/EventData/DataItem/Property[@Name='MalwareSeverity']$</AlertParameter5>

        <AlertParameter6>$Data/EventData/DataItem/Property[@Name='MalwareCategory']$</AlertParameter6>

      </AlertParameters>

      <Suppression>

        <SuppressionValue>$Data/EventData/DataItem/Property[@Name='MalwareName']$</SuppressionValue>

      </Suppression>

    </WriteAction>

  </WriteActions>

</Rule>