Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

ON THIS PAGE

Microsoft Endpoint Protection

 

The Microsoft Endpoint Protection DSM for JSA can collect malware detection events.

Malware detection events are retrieved by JSA by configuring the JDBC protocol. Adding malware detection events to JSA gives the capability to monitor and detect malware infected computers in your deployment.

Malware detection events include the following event types:

  • Site name and the source from which the malware was detected.

  • Threat name, threat ID, and severity.

  • User ID associated with the threat.

  • Event type, time stamp, and the cleaning action that is taken on the malware.

Configuration Overview

The Microsoft Endpoint Protection DSM uses JDBC to poll an SQL database for malware detection event data. This DSM does not automatically discover. To integrate Microsoft EndPoint Protection with JSA, take the following steps:

  1. If your database is not configured with Predefined Query, create an SQL database view for JSA with the malware detection event data.

  2. Configure a JDBC log source to poll for events from the Microsoft EndPoint Protection database.

  3. Ensure that no firewall rules are blocking communication between JSA and the database that is associated with Microsoft EndPoint Protection.

Configuring an Endpoint Protection Log Source for Predefined Database Queries

Administrators who do not have permission to create a database view because of policy restrictions can collect Microsoft Endpoint Protection events with a log source that uses predefined queries.

Predefined queries are customized statements that can join data from separate tables when the database is polled by the JDBC protocol. To successfully poll for audit data from the Microsoft Endpoint Protection database, create a new user or provide the log source with existing user credentials. For more information about creating a user account, see (https://www.microsoft.com).

  1. Click the Admin tab.
  2. Click the Log Sources icon.
  3. Click Add.
  4. Configure the parameters. The following table describes the parameters that require specific values to collect events from SAP Enterprise Threat Protection by using the JDBC protocol:

    Table 1: Microsoft Endpoint Protection JDBC Parameters

    Parameter

    Description

    Log Source Name

    Type a unique name for the log source.

    Log Source Description (Optional)

    Type a description for the log source.

    Log Source Type

    Microsoft Endpoint Protection

    Protocol Configuration

    JDBC

    Log Source Identifier

    Type a name for the log source. The name can't contain spaces and must be unique among all log sources of the log source type that is configured to use the JDBC protocol.

    If the log source collects events from a single appliance that has a static IP address or host name, use the IP address or host name of the appliance as all or part of the Log Source Identifier value; for example, 192.168.1.1 or JDBC192.168.1.1. If the log source doesn't collect events from a single appliance that has a static IP address or host name, you can use any unique name for the Log Source Identifier value; for example, JDBC1, JDBC2.

    Database Type

    MSDE

    Database Name

    The name of the database to which you want to connect.

    IP or Hostname

    Type the IP address or host name of the Microsoft Endpoint Protection SQL Server.

    Port

    Type the port number that is used by the database server. The default port for MSDE is 1433.

    The JDBC configuration port must match the listener port of the Microsoft Endpoint Protection database. The Microsoft Endpoint Protection database must have incoming TCP connections that are enabled to communicate with JSA.

    If you define a Database Instance when you use MSDE as the database type, you must leave the Port field blank in your configuration.

    Username

    Type the user name the log source can use to access the Microsoft Endpoint Protection database.

    Password

    Type the password the log source can use to access the Microsoft Endpoint Protection database.

    The password can be up to 255 characters in length.

    Confirm Password

    Confirm the password that is used to access the database. The confirmation password must be identical to the password entered in the Password field.

    Authentication Domain

    If you did not select Use Microsoft JDBC, Authentication Domain is displayed.

    If you select MSDE as the Database Type and the database is configured for Windows Authentication, you must populate the Authentication Domain field. Otherwise, leave this field blank.

    Database Instance

    If you have multiple SQL server instances on your database server, type the database instance.

    If you use a non-standard port in your database configuration, or block access to port 1434 for SQL database resolution, you must leave the Database Instance parameter blank in your configuration.

    Predefined Query

    From the list, select Microsoft Endpoint Protection.

    Table Name

    The name of the table or view that includes the event records. The table name can include the following special characters: dollar sign ($), number sign (#), underscore (_), en dash (-), and period (.).

    Select List

    The list of fields to include when the table is polled for events. You can use a comma-separated list or type an asterisk (*) to select all fields from the table or view. If a comma-separated list is defined, the list must contain the field that is defined in the Compare Field.

    Compare Field

    A numeric value or time stamp field from the table or view that identifies new events that are added to the table between queries. Enables the protocol to identify events that were previously polled by the protocol to ensure that duplicate events are not created.

    Use Prepared Statements

    Select the Use Prepared Statements check box.

    Prepared statements enable the JDBC protocol source to set up the SQL statement, and then run the SQL statement numerous times with different parameters. For security and performance reasons, most JDBC protocol configurations can use prepared statement.

    Clearing this check box requires you to use an alternative method of querying that does not use pre-compiled statements.

    Start Date and Time (Optional)

    Type the start date and time for database polling.

    The Start Date and Time parameter must be formatted as yyyy-MM-dd HH: mm with HH specified by using a 24-hour clock. If the start date or time is clear, polling begins immediately and repeats at the specified polling interval.

    Polling Interval

    Type the polling interval, which is the amount of time between queries to the view you created. The default polling interval is 10 seconds.

    You can define a longer polling interval by appending H for hours or M for minutes to the numeric value. The maximum polling interval is 1 week in any time format. Numeric values that are entered without an H or M poll in seconds.

    EPS Throttle

    Type the number of Events Per Second (EPS) that you do not want this protocol to exceed. The valid range is 100 - 20000 EPS.

    Use Named Pipe Communication

    If you did not select Use Microsoft JDBC, Use Named Pipe Communication is displayed.

    MSDE databases require the user name and password field to use a Windows authentication user name and password and not the database user name and password. The log source configuration must use the default that is named pipe on the MSDE database.

    Database Cluster Name

    If you selected the Use Named Pipe Communication, the Database Cluster Name parameter is displayed. If you are running your SQL server in a cluster environment, define the cluster name to ensure Named Pipe communication functions properly.

    Use NTLMv2

    If you did not select Use Microsoft JDBC, Use NTLMv2 is displayed.

    Select the Use NTLMv2 check box.

    This option forces MSDE connections to use the NTLMv2 protocol when it communicates with SQL servers that require NTLMv2 authentication. The default value of the check box is selected.

    If the Use NTLMv2 check box is selected, it has no effect on MSDE connections to SQL servers that do not require NTLMv2 authentication.

    Use Microsoft JDBC

    If you want to use the Microsoft JDBC driver, you must enable Use Microsoft JDBC.

    Use SSL

    If your connection supports SSL communication, select Use SSL. This option requires extra configuration on your Endpoint Protection database and also requires administrators to configure certificates on both appliances.

    Microsoft SQL Server Hostname

    If you selected Use Microsoft JDBC and Use SSL, the Microsoft SQL Server Hostname parameter is displayed.

    You must type the host name for the Microsoft SQL server.

    Note

    Selecting a parameter value greater than 5 for the Credibility parameter weights your Microsoft Endpoint Protection log source with a higher importance that is compared to other log sources in JSA.

  5. Click Save.
  6. On the Admin tab, click Deploy Changes.

Configuring an Endpoint Protection Log Source for Predefined Database Queries

JSA requires a user account with the proper credentials to access the view you created in the Microsoft EndPoint Protection database.

To successfully poll for malware detection events from the Microsoft EndPoint Protection database, you must create a new user or provide the log source with existing user credentials to read from the database view that you created. For more information on creating a user account, see your vendor documentation.

  1. Click the Admin tab.
  2. On the navigation menu, click Data Sources.
  3. Click the Log Sources icon.
  4. In the Log Source Name field, type a name for the log source.
  5. In the Log Source Description field, type a description for the log source.
  6. From the Log Source Type list, select Microsoft EndPoint Protection.
  7. From the Protocol Configuration list, select JDBC.
  8. Configure the following values:

    Table 2: Microsoft EndPoint Protection JDBC Parameters

    Parameter

    Description

    Log Source Identifier

    Type the identifier for the log source. Type the log source identifier in the following format:

    <Database>@<Database Server IP or Host Name>

    Where:

    • <Database> is the database name, as entered in the Database Name parameter.

    • <Database Server IP or Host Name> is the host name or IP address for this log source, as entered in the IP or Hostname parameter.

    Database Type

    From the list, select MSDE.

    Database Name

    Type the name of the Microsoft EndPoint Protection database.

    This name must match the database name that you select when you create your view in Creating a database viewMicrosoft EndPoint Protection uses SQL Server Management Studio (SSMS) to manage the EndPoint Protection SQL databases..

    IP or Hostname

    Type the IP address or host name of the Microsoft EndPoint Protection SQL Server.

    Port

    Type the port number that is used by the database server. The default port for MSDE is 1433.

    The JDBC configuration port must match the listener port of the Microsoft EndPoint Protection database. The Microsoft EndPoint Protection database must have incoming TCP connections that are enabled to communicate with JSA.

    If you define a Database Instance when MSDE is used as the database type, you must leave the Port parameter blank in your configuration.

    Username

    Type the user name the log source can use to access the Microsoft EndPoint Protection database.

    Password

    Type the password the log source can use to access the Microsoft EndPoint Protection database.

    The password can be up to 255 characters in length.

    Confirm Password

    Confirm the password that is required to access the database. The confirmation password must be identical to the password entered in the Password field.

    Authentication Domain

    If you select MSDE as the Database Type and the database is configured for Windows, you must define the Window Authentication Domain. Otherwise, leave this field blank.

    Database Instance

    Optional. Type the database instance, if you have multiple SQL server instances on your database server.

    If you use a non-standard port in your database configuration, or block access to port 1434 for SQL database resolution, you must leave the Database Instance parameter blank in your configuration.

    Predefined Query

    From the list, select Microsoft Endpoint Protection.

    Table Name Predefined Query

    Type dbo.MalwareView as the name of the table or view that includes the event records.

      

    Compare Field

    Type Timestamp as the compare field. The compare field is used to identify new events added between queries to the table.

    Start Date and Time

    Optional. Type the start date and time for database polling.

    The Start Date and Time parameter must be formatted as yyyy-MM-dd HH: mm with HH specified by using a 24-hour clock. If the start date or time is clear, polling begins immediately and repeats at the specified polling interval.

    Use Prepared Statements

    Select the Use Prepared Statements check box.

    Prepared statements allow the JDBC protocol source to setup the SQL statement one time, then run the SQL statement many times with different parameters. For security and performance reasons, it is suggested that you use prepared statements.

    Clearing this check box requires you to use an alternative method of querying that does not use pre-compiled statements.

    Polling Interval

    Type the polling interval, which is the amount of time between queries to the view you created. The default polling interval is 10 seconds.

    You can define a longer polling interval by appending H for hours or M for minutes to the numeric value. The maximum polling interval is 1 week in any time format. Numeric values that are entered without an H or M poll in seconds.

    EPS Throttle

    Type the number of Events Per Second (EPS) that you do not want this protocol to exceed. The default value is 20000 EPS.

    Use Named Pipe Communication

    Clear the Use Named Pipe Communications check box.

    When you use a Named Pipe connection, the user name and password must be the appropriate Windows authentication user name and password and not the database user name and password. Also, you must use the default Named Pipe.

    Database Cluster Name

    If you select the Use Named Pipe Communication check box, the Database Cluster Name parameter is displayed. If you are running your SQL server in a cluster environment, define the cluster name to ensure Named Pipe communication functions properly.

    Use NTLMv2

    Select the Use NTLMv2 check box.

    This option forces MSDE connections to use the NTLMv2 protocol when they communicate with SQL servers that require NTLMv2 authentication. The default value of the check box is selected.

    If the Use NTLMv2 check box is selected, it has no effect on MSDE connections to SQL servers that do not require NTLMv2 authentication.

    Use SSL

    If your connection supports SSL communication, select Use SSL . This option requires extra configuration on your Endpoint Protection database and also requires administrators to configure certificates on both appliances.

    Note

    Selecting a value greater than 5 for the Credibility parameter weights your Microsoft EndPoint Protection log source with a higher importance compared to other log sources in JSA.

  9. Click Save.
  10. On the Admin tab, click Deploy Changes.

    The Microsoft EndPoint Protection configuration is complete.