You can configure Endpoint Protection alerts in
Microsoft System Center 2012
Configuration Manager to notify administrative users when
specific security events occur in your hierarchy. Notifications
display in the Endpoint Protection dashboard in the
Configuration Manager console, in reports, and you can configure
them to be emailed to specified recipients.
Use the following steps and the supplemental procedures in this
topic to configure alerts for Endpoint Protection in
Configuration Manager.
 Important |
| You must have the Enforce Security permission for
collections to configure Endpoint Protection alerts. |
Steps to Configure Alerts for
Endpoint Protection in Configuration Manager
Use the following table for the steps, details, and
more information about how to configure alerts for
Endpoint Protection.
| Steps |
Details |
More information |
|
Step 1 (Optional): Configure email settings for
alerts.
|
Before you can configure email subscriptions for alerts, you
must configure an SMTP server in your hierarchy. An SMTP server can
only be specified at the top-level site of your Configuration
Manager hierarchy.
|
For more details, see Configuring Alerts in
Configuration Manager.
|
|
Step 2: Configure alerts by collection.
|
Configure the properties of a device collection and specify
settings for alerts.
|
For more details, see Step 2: Configure
Alerts by Collection in this topic.
|
|
Step 3 (Optional): Configure email subscriptions for
specific alerts.
|
Select the Endpoint Protection alerts in the
Monitoring workspace, and create subscriptions by specifying
email addresses to send the Endpoint Protection alerts.
|
For more details, see Configuring Alerts in
Configuration Manager.
|
Supplemental Procedures to Configure
Endpoint Protection in Configuration Manager
Use the following information when the steps in the
preceding table require supplemental procedures. These procedures
configure the alerts for Endpoint Protection.
Step 2: Configure Alerts by
Collection
-
In the Configuration Manager console, click Assets
and Compliance.
-
In the Assets and Compliance workspace, click
Device Collections.
-
In the Device Collections list, select the
collection for which you want to configure alerts, and then on the
Home tab, in the Properties group, click
Properties.
 Note |
| You cannot configure alerts for user collections. |
-
On the Alerts tab of the <Collection
Name>Properties dialog box, select View this
collection in the Endpoint Protection dashboard if you want to
view details about antimalware operations for this collection in
the Monitoring workspace of the Configuration Manager
console.
| Note |
| This option is unavailable for the All Systems
collection. |
-
On the Alerts tab of the <Collection
Name>Properties dialog box, click Add.
-
In the Add New Collection Alerts dialog box, in
the Generate an alert when these conditions apply section,
select the alerts that you want Configuration Manager to generate
when the specified Endpoint Protection events occur, and then
click OK.
-
In the Conditions list of the Alerts tab,
select each Endpoint Protection alert, and then specify the
following information:
- Alert Name – Accept the default name
or enter a new name for the alert.
- Alert Severity – In the list, select
the alert level to display in the Configuration Manager
console.
Depending on the alert that you select, specify the
following additional information.
| Alert name |
Additional information required |
|
Malware detection
|
This alert is generated if malware is detected on any computer
in the collection that you monitor.
Specify the following information to configure this alert:
Malware detection threshold: - specifies the malware
detection levels at which this alert is generated. In the list,
select one of the following:
- High – All detections - The alert is
generated when there are one or more computers in the specified
collection on which any malware is detected, regardless of what
action the Endpoint Protection client takes.
- Medium – Detected, pending action -
The alert is generated when there is one or more computers in the
specified collection on which malware is detected, and you must
manually remove the malware.
- Low – Detected, still active - The
alert is generated when there are one or more computers in the
specified collection on which malware is detected and is still
active.
|
|
Malware outbreak
|
This alert is generated if specified malware is detected on a
specified percentage of computers in the collection that you
monitor.
Specify the following information to configure this alert:
- Percentage of computers with malware
detected – The alert is generated when the percentage of
computers with malware that is detected in the collection exceeds
the percentage that you specify. Specify a percentage from 1
through 99.
| Note |
| The percentage value is based on the number of computers in the
collection, but excludes computers that do not have a Configuration
Manager client installed. It includes computers that do not yet
have the Endpoint Protection client installed. |
|
|
Repeated malware detection
|
This alert is generated if specific malware is detected more
than a specified number of times over a specified number of hours
on the computers in the collection that you monitor.
Specify the following information to configure this alert:
- Number of times malware has been
detected: - The alert is generated when the same malware is
detected on computers in the collection more than the specified
number of times. Specify a number from 2 through
32.
- Interval for detection (hours):
Specify the detection interval (in hours) in which the number of
malware detections must occur. Specify a number from 1
through 168.
|
|
Multiple malware detection
|
This alert is generated if more than a specified number of
malware types are detected over a specified number of hours on
computers in the collection that you monitor.
Specify the following information to configure this alert:
- Number of malware types detected: The
alert is generated when the specified number of different malware
types are detected on computers in the collection. Specify a number
from 2 through 32.
- Interval for detection (hours):
Specify the detection interval, in hours, in which the number of
malware detections must occur. Specify a number from 1
through 168.
|
-
Click OK to close the <Collection
Name>Properties dialog box.
See Also
