Microsoft

System Center Configuration Manager Feedback

Suggestion box powered by UserVoice

How can we improve Configuration Manager?

← Ideas

SCEP Malware Alerts - Customized

SCEP Malware Alerts - Customized
The ability to customize the text and have the ability to select which fields you wish to include within the Malware email alert.

80 votes
Vote
Sign in
(thinking…)
Sign in with: Facebook Google
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
You have left! (?) (thinking…)
Anonymous shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

6 comments

Attach a File
Sign in
(thinking…)
Sign in with: Facebook Google
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Anonymous commented  ·   ·  Flag as inappropriate

    We noticed that the malware alerts often say NoAction Success, so we have to go to the console, where the Remediation status is Cleaned. This NoAction makes no sense. Also just today we had an alert that showed as Failed in the Malware Discovered list, but showed as Quarantined in the Infected report and in the Active Alert. Configman has a few places for malware alerts, but they seem to contradict each other.

  • Adrian commented  ·   ·  Flag as inappropriate

    Here is an example of what a good alert looks like. This should be a minimum of what is sent. Currently the Defender alert notification does not include the file in all cases (process hits), the IP address of the system (hostname is ok but the IP is not always static), a hash of the file (helps with searching for threat data), or true actions of what was done on the threat. At the very lease the alert sent by SCCM should include any and ALL data that Defender reports to the event log on the machine. This is currently not true. Our cyber teams have to search for the log data to get more information that should be in the alert.

    If you wanted to get one step ahead of the competition, create the ability to encrypt and zip the threat once quarantined to allow easy and safe retrieval and/or transmission of the threat for further analysis. Automating this encrypted submission to an internal team would be even better.

  • Adrian commented  ·   ·  Flag as inappropriate

    We should have better flexibility and customizability for SCEP alert capabilities. We can customize many notifications in SCOM to include or remove content gathered by the agent on a specific incident. Being able to create custom or refine existing alert rules would put SCEP on par with every other major AV suite out there like Symantec and McAfee does. We should also be able to specify parties which should receive such alerts individually. This should be fast tracked to the next release if not a feature patch. This is a major pivot point for governmental orgs that need to know what is happening, severity of it, what was done, when it happened or frequency, or other data that our cyber security teams deem necessary to evaluate the threat. The current alerting is insufficient to make an informed determination.

  • Erik Munson commented  ·   ·  Flag as inappropriate

    This is a basic feature that many of our custoers expect and is currently supported by competitive products. This would increase our products competitiveness.

  • Jeff Butte commented  ·   ·  Flag as inappropriate

    Multiple vendor AV products support alert customizations. This would increase competitiveness in the AV space by meeting key customer requirements.

  • Michael Indence commented  ·   ·  Flag as inappropriate

    I like to add to this comment and give an example similar to SCOM. In SCOM I can tailor subscription message to be very specific and customize the format. If we can get a option like that it would be much more effective. Working on a compete Mcafee easily does this. I need to be able to customize the message to include additional info and add additional content to the message body.

Ideas: Endpoint Protection

Categories

Feedback and Knowledge Base

(thinking…)