Endpoint Protection

 View Only
  • 1.  IPS reporting and alerting

    Posted Mar 06, 2013 11:34 AM

    is there any way to get meaningful reports and/or alerts on IPS blocks?

    I get email alerts when my users attempt to download virus or one is detected on their system.   but what about when the IPS prevents the user from seeing a Fake AV website or any of the other blocks.   The IPS reports kind of blow also.   All I see is is the most rudimentary data in the report.

    Currently, I can log into SEPM and look at Monitor, see a list of IPS revents, select them one at a time and hit detail.   Only then do I get to see the url that was blocked and the event detection.

    I'd like to be able to run reports as well as get individual email alerts for IPS.

    Obviously I'd have to tune it so it doesn't detect routine things like jabber.

     

     



  • 2.  RE: IPS reporting and alerting

    Posted Mar 06, 2013 11:39 AM

    You can create and export this as a log

    Monitors page >> Logs tab >> for log type select Network Threat Protection >> Log content set to Attacks and click View Log. You can export to CSV and drop into Excel



  • 3.  RE: IPS reporting and alerting
    Best Answer

    Posted Mar 07, 2013 09:16 AM

    You can as well create here a notification condition for NTP events from Monitors -> Notification conditions-> Add.. -> create a new notification (client security alert) for the NTP type - here the detailed instructions to it:

    To Create a Network Threat Protection administrative notification:

    1. In the management console, click Monitors.
    2. On the Notifications tab, click Notification Conditions.
    3. Click Add and select Client security alert.
    4. Type in a name for this notification.
    5. If you want to limit this notification to specific domains, groups, servers, or computers, specify the filter options that you want.
    6. To further filter when the notification is sent select one of the following outbreak types:
      • Occurrences on distinct computers
      • Occurrences on any computer
      • Occurrences on single computer
    7. To specify the type of Network Threat Protection activity, check one of the following check boxes:
      • For the attacks and events that the firewall detects or the Intrusion Prevention signatures detect, check Network Threat Protection events
      • For the firewall rules that are triggered and recorded in the Packet Log, check Packet events
      • For the firewall rules that are triggered and recorded in the Traffic Log, check Traffic events
    8. If desired, change the default notification conditions to set the number of occurrences within the number of minutes that you want to trigger this notification.
    9. Check Send email to, and then type in the email addresses of the people that you want to notify when these criteria are met.
    10. Click OK.


    The Send Email Alert option in the Logging column of the Firewall Policy Rules list is now operational.
    When this notification is triggered, email is sent.



  • 4.  RE: IPS reporting and alerting

    Posted Mar 11, 2013 02:24 PM

    thanks, I didn't think to export it.

    I set up the alerts as well.