Microsoft Endpoint Protection
The Microsoft Endpoint Protection DSM for JSA can collect malware detection events.
Malware detection events are retrieved by JSA by configuring the JDBC protocol. Adding malware detection events to JSA gives the capability to monitor and detect malware infected computers in your deployment.
Malware detection events include the following event types:
Site name and the source from which the malware was detected.
Threat name, threat ID, and severity.
User ID associated with the threat.
Event type, time stamp, and the cleaning action that is taken on the malware.
Configuration Overview
The Microsoft Endpoint Protection DSM uses JDBC to poll an SQL database for malware detection event data. This DSM does not automatically discover. To integrate Microsoft EndPoint Protection with JSA, take the following steps:
If your database is not configured with Predefined Query, create an SQL database view for JSA with the malware detection event data.
Configure a JDBC log source to poll for events from the Microsoft EndPoint Protection database.
Ensure that no firewall rules are blocking communication between JSA and the database that is associated with Microsoft EndPoint Protection.
Creating a Database View
Microsoft EndPoint Protection uses SQL Server Management Studio (SSMS) to manage the EndPoint Protection SQL databases.
-
Log in to the system that hosts your Microsoft EndPoint Protection SQL database.
-
From the Start menu, select Run.
Type the following command:
ssms-
Click OK.
-
Log in to your Microsoft Endpoint Protection database.
-
From the Object Explorer, select Databases.
-
Select your database and click Views.
-
From the navigation menu, click New Query.
-
In the Query pane, type the following Transact-SQL statement to create the database view:
create view dbo.MalwareView as select n.Type , n.RowID , n.Name , n.Description , n.Timestamp , n.SchemaVersion , n.ObserverHost , n.ObserverUser , n.ObserverProductName , n.ObserverProductversion , n.ObserverProtectionType , n.ObserverProtectionVersion , n.ObserverProtectionSignatureVersion , n.ObserverDetection , n.ObserverDetectionTime , n.ActorHost , n.ActorUser , n.ActorProcess , n.ActorResource , n.ActionType , n.TargetHost , n.TargetUser , n.TargetProcess , n.TargetResource , n.ClassificationID , n.ClassificationType , n.ClassificationSeverity , n.ClassificationCategory , n.RemediationType , n.RemediationResult , n.RemediationErrorCode , n.RemediationPendingAction , n.IsActiveMalware , i.IP_Addresses0 as 'SrcAddress'
from v_AM_NormalizedDetectionHistory n, System_IP_Address_ARR i, v_RA_System_ResourceNames s, Network_DATA d where n.ObserverHost = s.Resource_Names0 and s.ResourceID = d.MachineID and d.IPEnabled00 = 1 and d.MachineID = i.ItemKey and i.IP_Addresses0 like '%.%.%.%';
From the Query pane, right-click and select Execute.
If the view is created, the following message is displayed in the results pane:
Command(s) completed successfully.
You are now ready to configure a log source in JSA.
Microsoft Endpoint Protection JDBC Log Source Parameters for Predefined Database Queries
Administrators who do not have permission to create a database view because of policy restrictions can collect Microsoft Endpoint Protection events with a log source that uses predefined queries.
Predefined queries are customized statements that can join data from separate tables when the database is polled by the JDBC protocol. To successfully poll for audit data from the Microsoft Endpoint Protection database, create a new user or provide the log source with existing user credentials. For more information about creating a user account, see (https://www.microsoft.com).
If you use network segregation to separate networks, using a predefined query might cause duplicate events. Use your own query.
When using the JDBC protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect JDBC events from Microsoft Endpoint Protection:
Parameter |
Description |
---|---|
Log Source Name |
Type a unique name for the log source. |
Log Source Description (Optional) |
Type a description for the log source. |
Log Source Type |
Microsoft Endpoint Protection |
Protocol Configuration |
JDBC |
Log Source Identifier |
Type a name for the log source. The name can't contain spaces and must be unique among all log sources of the log source type that is configured to use the JDBC protocol. If the log source collects events from a single appliance that has a static IP address or host name, use the IP address or host name of the appliance as all or part of the Log Source Identifier value; for example, 192.168.1.1 or JDBC192.168.1.1. If the log source doesn't collect events from a single appliance that has a static IP address or host name, you can use any unique name for the Log Source Identifier value; for example, JDBC1, JDBC2. |
Database Type |
MSDE |
Database Name |
The name of the database to which you want to connect. |
IP or Hostname |
Type the IP address or host name of the Microsoft Endpoint Protection SQL Server. |
Port |
Type the port number that is used by the database server. The default port for MSDE is 1433. The JDBC configuration port must match the listener port of the Microsoft Endpoint Protection database. The Microsoft Endpoint Protection database must have incoming TCP connections that are enabled to communicate with JSA. If you define a Database Instance when you use MSDE as the database type, you must leave the Port field blank in your configuration. |
Username |
Type the user name the log source can use to access the Microsoft Endpoint Protection database. |
Password |
Type the password the log source can use to access the Microsoft Endpoint Protection database. The password can be up to 255 characters in length. |
Confirm Password |
Confirm the password that is used to access the database. The confirmation password must be identical to the password entered in the Password field. |
Authentication Domain |
If you did not select Use Microsoft JDBC, Authentication Domain is displayed. If you select MSDE as the Database Type and the database is configured for Windows Authentication, you must populate the Authentication Domain field. Otherwise, leave this field blank. |
Database Instance |
If you have multiple SQL server instances on your database server, type the database instance. If you use a non-standard port in your database configuration, or block access to port 1434 for SQL database resolution, you must leave the Database Instance parameter blank in your configuration. |
Predefined Query |
From the list, select Microsoft Endpoint Protection. |
Table Name |
The name of the table or view that includes the event records. The table name can include the following special characters: dollar sign ($), number sign (#), underscore (_), en dash (-), and period (.). |
Select List |
The list of fields to include when the table is polled for events. You can use a comma-separated list or type an asterisk (*) to select all fields from the table or view. If a comma-separated list is defined, the list must contain the field that is defined in the Compare Field. |
Compare Field |
A numeric value or time stamp field from the table or view that identifies new events that are added to the table between queries. Enables the protocol to identify events that were previously polled by the protocol to ensure that duplicate events are not created. |
Use Prepared Statements |
Select the Use Prepared Statements check box. Prepared statements enable the JDBC protocol source to set up the SQL statement, and then run the SQL statement numerous times with different parameters. For security and performance reasons, most JDBC protocol configurations can use prepared statement. Clearing this check box requires you to use an alternative method of querying that does not use pre-compiled statements. |
Start Date and Time (Optional) |
Type the start date and time for database polling. The Start Date and Time parameter must be formatted as yyyy-MM-dd HH: mm with HH specified by using a 24-hour clock. If the start date or time is clear, polling begins immediately and repeats at the specified polling interval. |
Polling Interval |
Type the polling interval, which is the amount of time between queries to the view you created. The default polling interval is 10 seconds. You can define a longer polling interval by appending H for hours or M for minutes to the numeric value. The maximum polling interval is 1 week in any time format. Numeric values that are entered without an H or M poll in seconds. |
EPS Throttle |
Type the number of Events Per Second (EPS) that you do not want this protocol to exceed. The valid range is 100 - 20000 EPS. |
Use Named Pipe Communication |
If you did not select Use Microsoft JDBC, Use Named Pipe Communication is displayed. MSDE databases require the user name and password field to use a Windows authentication user name and password and not the database user name and password. The log source configuration must use the default that is named pipe on the MSDE database. |
Database Cluster Name |
If you selected the Use Named Pipe Communication, the Database Cluster Name parameter is displayed. If you are running your SQL server in a cluster environment, define the cluster name to ensure Named Pipe communication functions properly. |
Use NTLMv2 |
If you did not select Use Microsoft JDBC, Use NTLMv2 is displayed. Select the Use NTLMv2 check box. This option forces MSDE connections to use the NTLMv2 protocol when it communicates with SQL servers that require NTLMv2 authentication. The default value of the check box is selected. If the Use NTLMv2 check box is selected, it has no effect on MSDE connections to SQL servers that do not require NTLMv2 authentication. |
Use Microsoft JDBC |
If you want to use the Microsoft JDBC driver, you must enable Use Microsoft JDBC. |
Use SSL |
If your connection supports SSL communication, select Use SSL. This option requires extra configuration on your Endpoint Protection database and also requires administrators to configure certificates on both appliances. |
Microsoft SQL Server Hostname |
If you selected Use Microsoft JDBC and Use SSL, the Microsoft SQL Server Hostname parameter is displayed. You must type the host name for the Microsoft SQL server. |