FEP 2010 Security Management Pack Reporting

  • Article

Applies To: Forefront Endpoint Protection

You can build your own report queries by using any reporting solution that can connect to the SQL Server Data Warehouse, such as Microsoft Excel 2010 or Microsoft SQL Server Reporting Services. Forefront Endpoint Protection sample reports in Microsoft Excel 2010 format can be downloaded from the Microsoft Download Center (https://go.microsoft.com/fwlink/?LinkId=207731). If you elect to use Excel to build your report queries, it is important to note that Microsoft Excel 2010 limits the server name in the Login dialog box to 23 characters, which will prevent any existing connections to the Data Warehouse from refreshing. If the server name of your Data Warehouse server contains more than 23 characters, you must open the existing connections and replace the FQDN of the server with the NetBIOS name.

Before you can use the Reporting feature, you need to install and properly configure the required reporting components for Operations Manager. The Reporting feature for the FEP Security Management Pack is supported on System Center Operations Manager R2. For more information about installing the reporting components on System Center Operations Manager R2, see the Operations Manager 2007 Deployment Guide (https://go.microsoft.com/fwlink/?LinkId=206502). For information about how to create, customize, and use reports, see Creating Reports (https://go.microsoft.com/fwlink/?LinkId=150369) in the Operations Manager 2007 R2 User’s Guide. For information about how to manage reporting in Operations Manager, see Managing Reporting in Operations Manager 2007 (https://go.microsoft.com/fwlink/?LinkId=206499).

FEP Health and Deployment Status Schema

The below table shows the schema for the FEP Health and Deployment Status view. You can reference this table when creating custom reports.

Field name Description SQL datatype Format

RowId

Key into the Event.vEvent table in the Operations Manager Data Warehouse.

uniqueidentifier

GUID in string form

Host

FQDN of the computer.

nvarchar(255)

String (FQDN)

TimeStamp 

Date/time value representing the time that the record was written to the data warehouse.

datetime

DateTime

DeploymentState

Enumerated value describing the deployment status. Valid values are:

  • Unknown

  • Never installed

  • Removed

  • Installation canceled by user

  • Reboot required

nvarchar(max)

String (enumeration)

ProtectionStatus

Enumerated value describing the state of the AM protection. Valid values are:

  • Unknown

  • On

  • Off

nvarchar(max)

String (enumeration)

LastQuickScanAge

Elapsed time, in days, since the last quick scan was performed on the computer. 0 if no data is available.

nvarchar(max)

String (integer)

LastFullScanAge

Elapsed time, in days, since the last full scan was performed on the computer. 0 if no data is available.

nvarchar(max)

String (integer)

RTPStatus

Enumerated value describing the state of the real-time protection. Valid values are:

  • Unknown

  • On

  • Off

nvarchar(max)

String (enumeration)

FirewallStatus

Enumerated value describing the state of Windows Firewall. Valid values are:

  • Unknown

  • Uninstalled

  • On

  • Off

nvarchar(max)

String (enumeration)

NISStatus

Enumerated value describing the state of the Network Inspection System. Valid values are:

  • Unknown

  • Not Supported

  • On

  • Off

nvarchar(max)

String (enumeration)

AVSignaturesAge

Number of days since the last AV signature update.

nvarchar(max)

String (integer)

ASSignaturesAge

Number of days since the last AS signature update.

nvarchar(max)

String (integer)

AVSignaturesLastUpdateTime

Timestamp when the antivirus signatures were last updated.

nvarchar(max)

String (ISO 8601 timestamp)

ASSignaturesLastUpdateTime

Timestamp when the antispyware signatures were last updated.

nvarchar(max)

String (ISO 8601 timestamp)

EngineVersion

Version of the AM engine.

nvarchar(max)

String (version number)

FEPClientVersion

Version of the FEP client.

nvarchar(max)

String (version number)

AVSignaturesVersion

Version of the active antivirus signatures.

nvarchar(max)

String (version number)

ASSignaturesVersion

Version of the active antispyware signatures.

nvarchar(max)

String (version number)

NISSignaturesVersion

Version of the active Network Inspection System signatures.

nvarchar(max)

String (version number)

ActiveFEPPolicy

Policy name of the FEP XML policy that is applied to the machine. Note that this does not contain information about group policies that are applied to the machine. Group policy settings override FEP policy settings when there is a conflict.

nvarchar(max)

String

FEPPolicyAppliedTime

Timestamp of the last application of the FEP XML policy to the machine.

nvarchar(max)

String (ISO 8601 timestamp)

FEP Security Incidents Schema

The table below shows the FEP Security Incidents schema. You can reference this table when creating custom reports.

Field name Description SQL datatype Format

Type

Type of incident.

nvarchar(max)

String constant "SecurityIncident"

RowID 

Key into the Event.vEvent table in the Operations Manager Data Warehouse.

uniqueidentifier

GUID in string form

Name

Descriptive information about incident.

nvarchar(max)

String constant "MalwareInfection"

Description 

Not used.

nvarchar(max)

String constant “NotImplemented”

TimeStamp

Date/time of the security incident.

datetime

DateTime

SchemaVersion

Database schema version.

nvarchar(max)

String constant “1.0”

Severity

Enumerated value describing the severity of incident. Valid values are:

  • Unknown

  • Low

  • Moderate

  • High

  • Severe

nvarchar(max)

String (enumeration)

ObserverHost

Name of the computer where the incident occurred.

nvarchar(max)

String (FQDN)

ObserverUser 

Name of the logged on user when the incident occurred, if the detection was in a process associated with a logged on user.

nvarchar(max)

String (domain\user)

ObserverProductName

Product name of the protection product that detected the incident.

nvarchar(max)

String constant “ForefrontEndpointProtection”

ObserverProductVersion

Product version of the protection product that detected the incident.

nvarchar(max)

String (version number)

ObserverProtectionType

Type of protection technology that detected the incident.

nvarchar(max)

String constant “AM”

ObserverProtectionVersion

Protection engine version information.

nvarchar(max)

String (version number)

ObserverProtectionSignatureVersion

Protection definitions version information.

nvarchar(max)

String (version number)

ObserverDetection

Enumerated value describing the method of detection. Valid values are:

  • Unknown

  • User Initiated Scan

  • System Initiated Scan

  • Real-Time Protection

  • IE Downloads and Outlook Express Attachments

nvarchar(max)

String (enumeration)

ObserverDetectionTime

Local time of detection on the machine where the incident occurred.

nvarchar(max)

String (ISO 8601 timestamp)

ActorHost

Not used.

nvarchar(max)

String constant NULL

ActorUser

Not used.

nvarchar(max)

String constant NULL

ActorProcess

Not used.

nvarchar(max)

String constant NULL

ActorResource

Not used.

nvarchar(max)

String constant NULL

ActionType

Type of security incident.

nvarchar(max)

String constant "MalwareInfection"

TargetHost

Name of the computer where the incident occurred.

nvarchar(max)

String (FQDN)

TargetUser

Name of the logged on user when the incident occurred, if the detection was in a process associated with a logged on user.

nvarchar(max)

String (domain\user)

TargetProcess

Name of the process that was attempting to access the infected file.

nvarchar(max)

String (image path name)

TargetResource

Threat name of the detected malware.

nvarchar(max)

String constant "Threat".

ClassificationType

Threat name of the detected malware.

nvarchar(max)

String constant "Threat".

ClassificationCategory

Enumerated value describing the threat category. Valid values are:

  • Invalid

  • Adware

  • Spyware

  • PasswordStealer

  • TrojanDownloader

  • Worm

  • Backdoor

  • RemoteAccessTrojan

  • Trojan

  • EmailFlooder

  • KeyLogger

  • Dialer

  • MonitoringSoftware

  • BrowserModifier

  • Cookie

  • BrowserPlugin

  • AolExploit

  • Nuker

  • SecuritySisabler

  • JokeProgram

  • HostileActivexControl

  • SoftwareBundler

  • StealthNotifier

  • SettingsModifier

  • Toolbar

  • RemoteControlSoftware

  • TrojanFftp

  • PotentialUnwantedSoftware

  • IcqExploit

  • TrojanTelnet

  • Exploit

  • FileSharingProgram

  • MalwareCreationTool

  • RemoteControlSoftwareTool

  • TrojanDenialOfService

  • TrojanDropper

  • TrojanMassmailer

  • TrojanMonitoringSoftware

  • TrojanProxyServer

  • Virus

  • Known

  • Unknown

  • Spp

  • Behavior

  • Vulnerabiltiy

  • Policy

nvarchar(max)

String (enumeration)

ClassificationID

Threat ID of the detected malware. This can be used to look up the malware on the Microsoft Malware Protection Center (https://go.microsoft.com/fwlink/?LinkId=206607).

nvarchar(max)

String (integer)

ClassificationSeverity

Enumerated value describing the severity of the detected threat. Valid values are:

  • Unknown

  • Low

  • Moderate

  • High

  • Severe

nvarchar(max)

String (enumeration)

RemediationType

Enumerated value describing the type of remediation that was performed.

nvarchar(max)

String (enumeration)

RemediationResult

Enumerated string containing a Boolean value describing whether the remediation action was successful. Valid values are:

  • True

  • False

nvarchar(max)

String (enumeration)

RemediationErrorCode

The error encountered during remediation.

nvarchar(max)

String (hexadecimal DWORD error code)

RemediationPendingAction

Enumerated value describing the action remaining to complete the remediation.

nvarchar(max)

String (enumeration)

IsActiveMalware

Enumerated string containing a Boolean value describing whether malware is active on the system. Valid values are:

  • True

  • False

nvarchar(max)

String (enumeration)