Adrian
My feedback
-
84 votes
An error occurred while saving the comment An error occurred while saving the comment Adrian commented
We should have better flexibility and customizability for SCEP alert capabilities. We can customize many notifications in SCOM to include or remove content gathered by the agent on a specific incident. Being able to create custom or refine existing alert rules would put SCEP on par with every other major AV suite out there like Symantec and McAfee does. We should also be able to specify parties which should receive such alerts individually. This should be fast tracked to the next release if not a feature patch. This is a major pivot point for governmental orgs that need to know what is happening, severity of it, what was done, when it happened or frequency, or other data that our cyber security teams deem necessary to evaluate the threat. The current alerting is insufficient to make an informed determination.
Adrian supported this idea ·
-
16 votes
Adrian supported this idea ·
-
72 votes
Adrian supported this idea ·
-
32 votesNoted ·
Admindjam (Product Director, or Executive, Microsoft Endpoint Configuration Manager) responded
Can you give more examples? Definitely want to innovate in these areas.
An error occurred while saving the comment Adrian commented
See https://configurationmanager.uservoice.com/forums/300492-ideas/suggestions/11635377-scep-malware-alerts-customized for what I believe is a better definition of the flexibility and customizability for SCEP alert capabilities most of us are looking for. We can customize many notifications in SCOM to include or remove content gathered by the agent on a specific incident. Being able to create custom or refine existing alert rules would put SCEP on par with every other major AV suite out there like Symantec and McAfee does. We should also be able to specify parties which should receive such alerts individually. This should be fast tracked to the next release if not a feature patch. This is a major pivot point for governmental orgs that need to know what is happening, severity of it, what was done, when it happened or frequency, or other data that our cyber security teams deem necessary to evaluate the threat. The current alerting is insufficient to make an informed determination.
Here is an example of what a good alert looks like. This should be a minimum of what is sent. Currently the Defender alert notification does not include the file in all cases (process hits), the IP address of the system (hostname is ok but the IP is not always static), a hash of the file (helps with searching for threat data), or true actions of what was done on the threat. At the very lease the alert sent by SCCM should include any and ALL data that Defender reports to the event log on the machine. This is currently not true. Our cyber teams have to search for the log data to get more information that should be in the alert.
If you wanted to get one step ahead of the competition, create the ability to encrypt and zip the threat once quarantined to allow easy and safe retrieval and/or transmission of the threat for further analysis. Automating this encrypted submission to an internal team would be even better.