Video Screencast Help

Reports to Baseline "normal" behavior of SEP clients in your environment

Created: 08 May 2013 • Updated: 10 May 2013 | 3 comments
This issue has been solved. See solution.


We are trying to determine how to stop virus outbreak before it happens. In our environment, we maybe get one or two each year, and it is easily contained.

I am trying to determine the type of reports I should create to baseline normal behavior of SEP client. Normal meaning that there are no virus outbreaks, and anything that looks different means there is a sign there may be an outbreak on the horizon.

There are seven report types that are available

1. Application and Device Control

2. Audit

3. Computer Status

4. Network Threat Protection

5. Risk

6. Scan

7. System

So far, I narrowed it down to three reports we may want to look at

1. Network Threat Protection

2. Risk

3. Scan

But, I am stumped on how to break it down further. For instance Network Threat Protection: Traffic has many options (see attached).

Are there recommended metrics to use? Perhaps Symantec wrote about this, or there may be case studies on other organizations that have baselined their environment to detect when they are few steps away from a virus outbreak.

Any guidance is greatly appreciated.

Operating Systems:

Comments 3 CommentsJump to latest comment

ᗺrian's picture

I'm not sure of any recent metrics but here are a few that although older still apply:

Metrics using data from SEPM

Metrics using data from SEPM (Part2)

Metrics using data from SEPM (part three)

Looking at firewall log can be a tedious process. I like to look at outbound traffic to see what is going on and if my clients may be infected. If you can get it into a SIM it can help greatly. It really just comes down to you knowing what should and shouldn't be on your network in regards to traffic.

For risks, I usually look for patterns with users and who are repeat offenders. They then get put into quarantine where they can't do much.

I don't use the scan log that much other than to find machines which either cancelled their scan, didn't run one, or was interrupted.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

TORB's picture


Check out IT-analytics and its KPI feature. I would also recommend using IT-Analytics Pivot function to data mine the data compared to exporting to .Csv.