Generates an alert when System Center 2012 Endpoint Protection client has reported on a cleaned malware.
This rule tracks successful malware cleanup operations.
It is recommended that you keep this rule turned on with the default configuration.
This rule will generate an information alert if the client reports that it successfully cleaned malware.
Target | Microsoft.SCEP.Linux.ProtectedServer |
Category | SecurityHealth |
Enabled | True |
Alert Generate | True |
Remotable | True |
ID | Module Type | TypeId | RunAs |
---|---|---|---|
SCXLog | DataSource | Microsoft.SCEP.Linux.SCXLog.MalwareEvent.DS | Default |
Mapper | ConditionDetection | System.Event.GenericDataMapper | Default |
Alert | WriteAction | System.Health.GenerateAlert | Default |
<Rule ID="Microsoft.SCEP.Linux.MalwareCleanedAlertRule" Enabled="true" Target="SCEPLinuxLibrary!Microsoft.SCEP.Linux.ProtectedServer" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>SecurityHealth</Category>
<DataSources>
<DataSource ID="SCXLog" TypeID="SCEPLinuxLibrary!Microsoft.SCEP.Linux.SCXLog.MalwareEvent.DS">
<Host>$Target/Host/Property[Type="Unix!Microsoft.Unix.Computer"]/NetworkName$</Host>
<LogFile>/var/log/scep/eventlog_scom.dat</LogFile>
<RegExpFilter>^event=malware, .*status=clean.*$</RegExpFilter>
</DataSource>
</DataSources>
<ConditionDetection ID="Mapper" TypeID="System!System.Event.GenericDataMapper">
<EventOriginId>$MPElement$</EventOriginId>
<PublisherId>$MPElement$</PublisherId>
<PublisherName>System Center 2012 Endpoint Protection for Unix/Linux</PublisherName>
<Channel>Application</Channel>
<LoggingComputer>$Target/Host/Property[Type="Unix!Microsoft.Unix.Computer"]/NetworkName$</LoggingComputer>
<EventNumber>4001</EventNumber>
<EventCategory>0</EventCategory>
<EventLevel>1</EventLevel>
<UserName/>
<Params/>
</ConditionDetection>
<WriteActions>
<WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">
<Priority>$Data/EventData/DataItem/Property[@Name='AlertPriority']$</Priority>
<Severity>$Data/EventData/DataItem/Property[@Name='AlertSeverity']$</Severity>
<AlertMessageId>$MPElement[Name="AlertMessageIDdbc3762134394677bf2d86b384524b21"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Target/Property[Type="SCEPLinuxLibrary!Microsoft.SCEP.Linux.ProtectedServer"]/ComputerId$</AlertParameter1>
<AlertParameter2>$Data/EventData/DataItem/Property[@Name='DetectionTime']$</AlertParameter2>
<AlertParameter3>$Data/EventData/DataItem/Property[@Name='MalwareName']$</AlertParameter3>
<AlertParameter4>$Data/EventData/DataItem/Property[@Name='MalwareLocation']$</AlertParameter4>
<AlertParameter5>$Data/EventData/DataItem/Property[@Name='MalwareSeverity']$</AlertParameter5>
<AlertParameter6>$Data/EventData/DataItem/Property[@Name='MalwareCategory']$</AlertParameter6>
</AlertParameters>
<Suppression>
<SuppressionValue>$Data/EventData/DataItem/Property[@Name='MalwareName']$</SuppressionValue>
</Suppression>
</WriteAction>
</WriteActions>
</Rule>