Microsoft SCEP¶
About¶
Endpoint Protection manages antimalware policies and Windows Defender Firewall security for client computers in your Configuration Manager hierarchy. Beginning with Windows 10 and Windows Server 2016 computers, Microsoft Defender Antivirus is already installed. For these operating systems, a management client for Microsoft Defender Antivirus is installed when the Configuration Manager client installs. On Windows 8.1 and earlier computers, the Endpoint Protection client is installed with the Configuration Manager client.
Product Details¶
Vendor URL: Microsoft SCEP
Product Type: Antivirus
Product Tier: Tier I
Integration Method: Syslog
Integration URL: Microsoft SCEP Log Forwarding
Log Guide: N/A
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: 90%
Data Label: MICROSOFT_SCEP
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| description | metadata.description |
| details | security_result.description |
| Microsoft | metadata.vendor_name |
| observer | observer.hostname |
| product_event | metadata.product_event_type |
| SCEP | metadata.product_name |
| summary | security_result.summary |
| target_file | target.file.full_path |
| thread | metadata.product_log_id |
Product Event Types¶
| product_event | UDM Event Classification |
|---|---|
| all others | GENERIC_EVENT |
Log Sample¶
Results refreshed for collection collection, 0 entries changed. $$<SMS_COLLECTION_EVALUATOR><12-19-2022 16:51:21.461+300><thread=20572 (0x505C)>
username
Sample Parsing¶
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "Microsoft"
metadata.product_name = "System Center Configuration Manager"
metadata.product_event_type = "SMS_COLLECTION_EVALUATOR"
metadata.description = "Results refreshed for collection collection, 0 entries changed. "
Parser Alerting¶
This product currently does not have any Parser-based Alerting.
Rules¶
Coming Soon