Endpoint Protection

In policies, intrusion preventon policy, exceptions (bottom choice on the left in this policy) you can set it to block instead of allow certain things, like IM or P2P and other items normally allowed under this policy and groupd of settings. We disable IM in here, MSMSGR for example........
I can't recall where to go to look to see if someone is trying it, or where it is logged - how to view any history there...........
I see where someone is attempting to install such a product, and that's blocked of course, but where are the intrusion prevention policy, exceptions list hits logged?
I've got a whopper of a headache and can't read through the indexes in all those manuals very well today................

I believe IPS logs are logged in the "security" log on the client.

On SEPM, in the logs tab: log type > network threat protection, log content > attacks.
Clicking on  advanced settings, you can change the event type to intrusion prevention.

Hey ShadowsPapa.

Yes you can get that type of information.  It is where bjohn states however I find it easiest to simply export the log (NTP:Attacks) to a csv file and use autofilter.  Look at the Event Description column and use a custom autofilter on that column looking for your IM or P2P application.

If that doesn't help I will have (hopefully) an article posted later this weekend with how to pulll data out of these CSV files that can be used for management reporting. 

Cheers!

Jeff