Video Screencast Help

SEPM Console - allow viewing logs/reports using exclusions

Created: 20 Aug 2013
ShadowsPapa's picture
1 Agree
0 Disagree
+1 1 Vote
Login to vote

Example - SEPM console, Choose Monitors tab on left, then choose Logs tab at top. Choose log to view, example Network Threat Protection, then Attacks from the upper dropdown lists.
In the filter settings area titled "What filter settings would you like to use", add the ability to filter to the negative - meaning EXCLUDE certain IP addresses, computer names, hosts and so on.

If I wish to see all severity type Critical, but know in the last week that a computer has been having (or causing) a problem and generated hundreds of log entries, I'd like to filter so I can see all log entries EXCEPT those from that computer.
Example - What filter settings would you like to use, for Computer, add the ability to use < > or !=  meaning NOT equal to. I want to see all log entries for all computers EXCEPT "Joes-computer" I could put in the computer field   <>Joes-computer 

For IP address (remote and/or local) I should be able to enter "10.1.1.1-10.255.255.255, 11.2.3.3-11.3.255.255" or similar showing me the log entries related to all IP addresses within the shown ranges, or "<>10.1.2.* so show me anything except IP addresses in that range.

At this time I can only filter to the positive, and then a single choice. I have to choose to view several times to get all the information I need, or display it all, then export and delete unwanted information. This is very cumbersome and time consuming. I view the logs constantly through each day and to have to visually skip past or through known items is a lot of work.

Similar for application control. A computer got crazy and ended up with adware. Now every few minutes the computer's SEP service part (ccSvcHst.exe) tries to launch the adware installer again. Since we can't find why SEP's ccSvcHst.exe keeps attempting to launch something that no longer exists, we need to filter the logs to not display entries for that issue or computer. Allow us to view application control logs but display ALL computer entries EXCEPT for that computer with a SEP issue.