Microsoft Endpoint Protection
The Microsoft Endpoint Protection DSM for JSA can collect malware detection events.
Malware detection events are retrieved by JSA by configuring the JDBC protocol. Adding malware detection events to JSA gives the capability to monitor and detect malware infected computers in your deployment.
Malware detection events include the following event types:
Site name and the source from which the malware was detected.
Threat name, threat ID, and severity.
User ID associated with the threat.
Event type, time stamp, and the cleaning action that is taken on the malware.
The Microsoft Endpoint Protection DSM uses JDBC to poll an SQL database for malware detection event data. This DSM does not automatically discover. To integrate Microsoft EndPoint Protection with JSA, take the following steps:
If your database is not configured with Predefined Query, create an SQL database view for JSA with the malware detection event data.
Configure a JDBC log source to poll for events from the Microsoft EndPoint Protection database.
Ensure that no firewall rules are blocking communication between JSA and the database that is associated with Microsoft EndPoint Protection.
Microsoft Endpoint Protection JDBC Log Source Parameters for Predefined Database Queries
Administrators who do not have permission to create a database view because of policy restrictions can collect Microsoft Endpoint Protection events with a log source that uses predefined queries.
Predefined queries are customized statements that can join data from separate tables when the database is polled by the JDBC protocol. To successfully poll for audit data from the Microsoft Endpoint Protection database, create a new user or provide the log source with existing user credentials. For more information about creating a user account, see (https://www.microsoft.com).
If you use network segregation to separate networks, using a predefined query might cause duplicate events. Use your own query.
When using the JDBC protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect JDBC events from Microsoft Endpoint Protection:
Table 1: Microsoft Endpoint Protection JDBC Parameters
Log Source Name
Type a unique name for the log source.
Log Source Description (Optional)
Type a description for the log source.
Log Source Type
Microsoft Endpoint Protection
Log Source Identifier
Type a name for the log source. The name can't contain spaces and must be unique among all log sources of the log source type that is configured to use the JDBC protocol.
If the log source collects events from a single appliance that has a static IP address or host name, use the IP address or host name of the appliance as all or part of the Log Source Identifier value; for example, 192.168.1.1 or JDBC192.168.1.1. If the log source doesn't collect events from a single appliance that has a static IP address or host name, you can use any unique name for the Log Source Identifier value; for example, JDBC1, JDBC2.
The name of the database to which you want to connect.
IP or Hostname
Type the IP address or host name of the Microsoft Endpoint Protection SQL Server.
Type the port number that is used by the database server. The default port for MSDE is 1433.
The JDBC configuration port must match the listener port of the Microsoft Endpoint Protection database. The Microsoft Endpoint Protection database must have incoming TCP connections that are enabled to communicate with JSA.
If you define a Database Instance when you use MSDE as the database type, you must leave the Port field blank in your configuration.
Type the user name the log source can use to access the Microsoft Endpoint Protection database.
Type the password the log source can use to access the Microsoft Endpoint Protection database.
The password can be up to 255 characters in length.
Confirm the password that is used to access the database. The confirmation password must be identical to the password entered in the Password field.
If you did not select Use Microsoft JDBC, Authentication Domain is displayed.
If you select MSDE as the Database Type and the database is configured for Windows Authentication, you must populate the Authentication Domain field. Otherwise, leave this field blank.
If you have multiple SQL server instances on your database server, type the database instance.
If you use a non-standard port in your database configuration, or block access to port 1434 for SQL database resolution, you must leave the Database Instance parameter blank in your configuration.
From the list, select Microsoft Endpoint Protection.
The name of the table or view that includes the event records. The table name can include the following special characters: dollar sign ($), number sign (#), underscore (_), en dash (-), and period (.).
The list of fields to include when the table is polled for events. You can use a comma-separated list or type an asterisk (*) to select all fields from the table or view. If a comma-separated list is defined, the list must contain the field that is defined in the Compare Field.
A numeric value or time stamp field from the table or view that identifies new events that are added to the table between queries. Enables the protocol to identify events that were previously polled by the protocol to ensure that duplicate events are not created.
Use Prepared Statements
Select the Use Prepared Statements check box.
Prepared statements enable the JDBC protocol source to set up the SQL statement, and then run the SQL statement numerous times with different parameters. For security and performance reasons, most JDBC protocol configurations can use prepared statement.
Clearing this check box requires you to use an alternative method of querying that does not use pre-compiled statements.
Start Date and Time (Optional)
Type the start date and time for database polling.
The Start Date and Time parameter must be formatted as yyyy-MM-dd HH: mm with HH specified by using a 24-hour clock. If the start date or time is clear, polling begins immediately and repeats at the specified polling interval.
Type the polling interval, which is the amount of time between queries to the view you created. The default polling interval is 10 seconds.
You can define a longer polling interval by appending H for hours or M for minutes to the numeric value. The maximum polling interval is 1 week in any time format. Numeric values that are entered without an H or M poll in seconds.
Type the number of Events Per Second (EPS) that you do not want this protocol to exceed. The valid range is 100 - 20000 EPS.
Use Named Pipe Communication
If you did not select Use Microsoft JDBC, Use Named Pipe Communication is displayed.
MSDE databases require the user name and password field to use a Windows authentication user name and password and not the database user name and password. The log source configuration must use the default that is named pipe on the MSDE database.
Database Cluster Name
If you selected the Use Named Pipe Communication, the Database Cluster Name parameter is displayed. If you are running your SQL server in a cluster environment, define the cluster name to ensure Named Pipe communication functions properly.
If you did not select Use Microsoft JDBC, Use NTLMv2 is displayed.
Select the Use NTLMv2 check box.
This option forces MSDE connections to use the NTLMv2 protocol when it communicates with SQL servers that require NTLMv2 authentication. The default value of the check box is selected.
If the Use NTLMv2 check box is selected, it has no effect on MSDE connections to SQL servers that do not require NTLMv2 authentication.
Use Microsoft JDBC
If you want to use the Microsoft JDBC driver, you must enable Use Microsoft JDBC.
If your connection supports SSL communication, select Use SSL. This option requires extra configuration on your Endpoint Protection database and also requires administrators to configure certificates on both appliances.
Microsoft SQL Server Hostname
If you selected Use Microsoft JDBC and Use SSL, the Microsoft SQL Server Hostname parameter is displayed.
You must type the host name for the Microsoft SQL server.