Microsoft

System Center Configuration Manager Feedback

Suggestion box powered by UserVoice

Adrian

My feedback

  1. 77 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    5 comments  ·  Ideas » Endpoint Protection  ·  Flag idea as inappropriate…  ·  Admin →
    Adrian commented  · 

    Here is an example of what a good alert looks like. This should be a minimum of what is sent. Currently the Defender alert notification does not include the file in all cases (process hits), the IP address of the system (hostname is ok but the IP is not always static), a hash of the file (helps with searching for threat data), or true actions of what was done on the threat. At the very lease the alert sent by SCCM should include any and ALL data that Defender reports to the event log on the machine. This is currently not true. Our cyber teams have to search for the log data to get more information that should be in the alert.

    If you wanted to get one step ahead of the competition, create the ability to encrypt and zip the threat once quarantined to allow easy and safe retrieval and/or transmission of the threat for further analysis. Automating this encrypted submission to an internal team would be even better.

    Adrian commented  · 

    We should have better flexibility and customizability for SCEP alert capabilities. We can customize many notifications in SCOM to include or remove content gathered by the agent on a specific incident. Being able to create custom or refine existing alert rules would put SCEP on par with every other major AV suite out there like Symantec and McAfee does. We should also be able to specify parties which should receive such alerts individually. This should be fast tracked to the next release if not a feature patch. This is a major pivot point for governmental orgs that need to know what is happening, severity of it, what was done, when it happened or frequency, or other data that our cyber security teams deem necessary to evaluate the threat. The current alerting is insufficient to make an informed determination.

    Adrian supported this idea  · 
  2. 13 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Ideas » Endpoint Protection  ·  Flag idea as inappropriate…  ·  Admin →
    Adrian supported this idea  · 
  3. 66 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    9 comments  ·  Ideas » Endpoint Protection  ·  Flag idea as inappropriate…  ·  Admin →
    Adrian supported this idea  · 
  4. 31 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    9 comments  ·  Ideas » Endpoint Protection  ·  Flag idea as inappropriate…  ·  Admin →
    Adrian commented  · 

    See https://configurationmanager.uservoice.com/forums/300492-ideas/suggestions/11635377-scep-malware-alerts-customized for what I believe is a better definition of the flexibility and customizability for SCEP alert capabilities most of us are looking for. We can customize many notifications in SCOM to include or remove content gathered by the agent on a specific incident. Being able to create custom or refine existing alert rules would put SCEP on par with every other major AV suite out there like Symantec and McAfee does. We should also be able to specify parties which should receive such alerts individually. This should be fast tracked to the next release if not a feature patch. This is a major pivot point for governmental orgs that need to know what is happening, severity of it, what was done, when it happened or frequency, or other data that our cyber security teams deem necessary to evaluate the threat. The current alerting is insufficient to make an informed determination.

Feedback and Knowledge Base