Microsoft Endpoint Protection
The Microsoft Endpoint Protection DSM forJSA can collect malware detection events.
Malware detection events are retrieved by JSA by configuring the JDBC protocol. Adding malware detection events to JSA gives the capability to monitor and detect malware infected computers in your deployment.
Malware detection events include the following event types:
Site name and the source from which the malware was detected.
Threat name, threat ID, and severity.
User ID associated with the threat.
Event type, time stamp, and the cleaning action that is taken on the malware.
The Microsoft Endpoint Protection DSM uses JDBC to poll an SQL database for malware detection event data. This DSM does not automatically discover. To integrate Microsoft EndPoint Protection with JSA, take the following steps:
Create an SQL database view for JSA with the malware detection event data.
Configure a JDBC log source to poll for events from the Microsoft EndPoint Protection database.
Ensure that no firewall rules are blocking communication between JSA and the database that is associated with Microsoft EndPoint Protection.
Creating a Database View
Microsoft EndPoint Protection uses SQL Server Management Studio (SSMS) to manage the EndPoint Protection SQL databases.
- Log in to the system that hosts your Microsoft EndPoint Protection SQL database.
- From the Start menu, select Run.
- Type the following command:
- Click OK.
- Log in to your Microsoft Endpoint Protection database.
- From the Object Explorer, select Databases .
- Select your database and click Views.
- From the navigation menu, click New Query.
- In the Query pane, type the following Transact-SQL
statement to create the database view:
create view dbo.MalwareView as select n.Type , n.RowID , n.Name , n.Description , n.Timestamp , n.SchemaVersion , n.ObserverHost , n.ObserverUser , n.ObserverProductName , n.ObserverProductversion , n.ObserverProtectionType , n.ObserverProtectionVersion , n.ObserverProtectionSignatureVersion , n.ObserverDetection , n.ObserverDetectionTime , n.ActorHost , n.ActorUser , n.ActorProcess , n.ActorResource , n.ActionType , n.TargetHost , n.TargetUser , n.TargetProcess , n.TargetResource , n.ClassificationID , n.ClassificationType , n.ClassificationSeverity , n.ClassificationCategory , n.RemediationType , n.RemediationResult , n.RemediationErrorCode , n.RemediationPendingAction , n.IsActiveMalware , i.IP_Addresses0 as 'SrcAddress'
from v_AM_NormalizedDetectionHistory n, System_IP_Address_ARR i, v_RA_System_ResourceNames s, Network_DATA d where n.ObserverHost = s.Resource_Names0 and s.ResourceID = d.MachineID and d.IPEnabled00 = 1 and d.MachineID = i.ItemKey and i.IP_Addresses0 like '%.%.%.%';
- From the Query pane, right-click and select Execute.
If the view is created, the following message is displayed in the results pane:
Command(s) completed successfully.
You are now ready to configure a log source in JSA.
Configuring a Log Source
JSA requires a user account with the proper credentials to access the view you created in the Microsoft EndPoint Protection database.
To successfully poll for malware detection events from the Microsoft EndPoint Protection database, you must create a new user or provide the log source with existing user credentials to read from the database view that you created. For more information on creating a user account, see your vendor documentation.
- Click the Admin tab.
- On the navigation menu, click Data Sources.
- Click the Log Sources icon.
- In the Log Source Name field, type a name for the log source.
- In the Log Source Description field, type a description for the log source.
- From the Log Source Type list, select Microsoft EndPoint Protection.
- From the Protocol Configuration list, select JDBC.
- Configure the following values:
Table 1: Microsoft EndPoint Protection JDBC Parameters
Log Source Identifier
Type the identifier for the log source. Type the log source identifier in the following format:
<Database>@<Database Server IP or Host Name>
<Database> is the database name, as entered in the Database Name parameter.
<Database Server IP or Host Name> is the host name or IP address for this log source, as entered in the IP or Hostname parameter.
From the list, select MSDE.
Type the name of the Microsoft EndPoint Protection database.
This name must match the database name that you select when you create your view in Creating a database viewMicrosoft EndPoint Protection uses SQL Server Management Studio (SSMS) to manage the EndPoint Protection SQL databases..
IP or Hostname
Type the IP address or host name of the Microsoft EndPoint Protection SQL Server.
Type the port number that is used by the database server. The default port for MSDE is 1433.
The JDBC configuration port must match the listener port of the Microsoft EndPoint Protection database. The Microsoft EndPoint Protection database must have incoming TCP connections that are enabled to communicate with JSA.
If you define a Database Instance when MSDE is used as the database type, you must leave the Port parameter blank in your configuration.
Type the user name the log source can use to access the Microsoft EndPoint Protection database.
Type the password the log source can use to access the Microsoft EndPoint Protection database.
The password can be up to 255 characters in length.
Confirm the password that is required to access the database. The confirmation password must be identical to the password entered in the Password field.
If you select MSDE as the Database Type and the database is configured for Windows, you must define the Window Authentication Domain. Otherwise, leave this field blank.
Optional. Type the database instance, if you have multiple SQL server instances on your database server.
If you use a non-standard port in your database configuration, or block access to port 1434 for SQL database resolution, you must leave the Database Instance parameter blank in your configuration.
Type dbo.MalwareView as the name of the table or view that includes the event records.
Type * for all fields from the table or view.
You can use a comma-separated list to define specific fields from tables or views, if you need it for your configuration. The list must contain the field that is defined in the Compare Field parameter. The comma-separated list can be up to 255 alphanumeric characters in length. The list can include the following special characters: dollar sign ($), number sign (#), underscore (_), en dash (-), and period(.).
Type Timestamp as the compare field. The compare field is used to identify new events added between queries to the table.
Start Date and Time
Optional. Type the start date and time for database polling.
The Start Date and Time parameter must be formatted as yyyy-MM-dd HH: mm with HH specified by using a 24-hour clock. If the start date or time is clear, polling begins immediately and repeats at the specified polling interval.
Use Prepared Statements
Select the Use Prepared Statements check box.
Prepared statements allow the JDBC protocol source to setup the SQL statement one time, then run the SQL statement many times with different parameters. For security and performance reasons, it is suggested that you use prepared statements.
Clearing this check box requires you to use an alternative method of querying that does not use pre-compiled statements.
Type the polling interval, which is the amount of time between queries to the view you created. The default polling interval is 10 seconds.
You can define a longer polling interval by appending H for hours or M for minutes to the numeric value. The maximum polling interval is 1 week in any time format. Numeric values that are entered without an H or M poll in seconds.
Type the number of Events Per Second (EPS) that you do not want this protocol to exceed. The default value is 20000 EPS.
Use Named Pipe Communication
Clear the Use Named Pipe Communications check box.
When you use a Named Pipe connection, the user name and password must be the appropriate Windows authentication user name and password and not the database user name and password. Also, you must use the default Named Pipe.
Database Cluster Name
If you select the Use Named Pipe Communication check box, the Database Cluster Name parameter is displayed. If you are running your SQL server in a cluster environment, define the cluster name to ensure Named Pipe communication functions properly.
Select the Use NTLMv2 check box.
This option forces MSDE connections to use the NTLMv2 protocol when they communicate with SQL servers that require NTLMv2 authentication. The default value of the check box is selected.
If the Use NTLMv2 check box is selected, it has no effect on MSDE connections to SQL servers that do not require NTLMv2 authentication.
Selecting a value greater than 5 for the Credibility parameter weights your Microsoft EndPoint Protection log source with a higher importance compared to other log sources in JSA.
- Click Save.
- On the Admin tab, click Deploy Changes.
The Microsoft EndPoint Protection configuration is complete.