Microsoft System Center Endpoint Protection
Microsoft System Center Endpoint Protection (SCEP) is an enterprise anti-virus and anti-malware product, including a Windows Firewall manager. SCEP (formerly Forefront) is part of System Center, a workflow management solution for Windows-based IT environments. For more information, see the Endpoint Protection documentation on Microsoft Docs.
Microsoft SCEP writes events to Windows Event Log, file-based logs, and a Microsoft SQL Server database. All of these can be collected and parsed with NXLog Agent.
Microsoft System Center Endpoint Protection events in Windows Event Log
Microsoft SCEP events include custom data in the EventData
field, as shown below.
Unfortunately, all the values are labeled as Data
, making it difficult to process by a SIEM or log analytics platform.
However, with NXLog Agent, you can parse this data with a regular expression and assign meaningful field names to enrich the log records before forwarding them to their destination.
<Data>%%830</Data>
<Data>1.5.1937.0</Data>
<Data>{92224018-9446-4C2D-AFCB-EC4456B8859E}</Data>
<Data>10</Data>
<Data>%%843</Data>
<Data></Data>
<Data>C:\\Program Files\\Mozilla Firefox\\firefox.exe</Data>
<Data>DOMAIN</Data>
<Data>admin</Data>
<Data>S-1-5-21-314323950-2314161084-4234690932-1002</Data>
<Data>EICAR_Test_File</Data>
<Data>2147519003</Data>
<Data>5</Data>
<Data>42</Data>
<Data>http://go.microsoft.com/fwlink/?linkid=37020&name=EICAR_Test_File&threatid=2147519003</Data>
<Data>file:C:\\Users\\admin\\Downloads\\eicar.com(2).txt</Data>
<Data></Data>
<Data></Data>
<Data>4</Data>
<Data>%%814</Data>
<Data>0</Data>
<Data>%%823</Data>
<Data></Data>
<Data></Data>
<Data>Severe</Data>
<Data>Virus</Data>
<Data></Data>
<Data></Data>
This configuration uses the im_msvistalog module to collect FCSAM client logs from Windows Event Log.
This module parses the events resulting in an $EventData
field containing all <Data>
entries, as explained above.
Several regular expressions are defined to extract values from the $EventData
field based on the event ID.
The regular expressions use named capturing groups to assign values to fields depending on their position.
For example, <Data>1.5.1937.0</Data>
will be parsed into a $ClientVersion
field with the value 1.5.1937.0
.
This example includes regular expressions for parsing event IDs 3004
, 3005
, 5007
, 5008
, 1000
, 1001
, 1002
, 1006
, and 1007
.
Fields that are empty or do not contain valuable information are ignored.
You can further enhance the configuration by adding more regular expressions to parse other FCSAM client events, parsing multiple event IDs with a single regular expression, or splitting the parsing of an event into multiple regular expressions.
<Extension json>
Module xm_json
</Extension>
define FCSAMEvents 3004, 3005, 5007, 5008, 1000, 1001, 1002, 1006, 1007
define EventID_3004_REGEX /(?x) \
<Data>(?<ClientVersion>(\d+\.\d+\.\d+\.\d+))<\/Data> \
<Data>(?<ScanID>(\{[\d\w\-]+\}))<\/Data> \
<Data>\d+<\/Data> \
<Data>\%\%\d{3}<\/Data> \
<Data><\/Data> \
<Data>(?<ProcessName>(\w{1}:\\.*\.exe))<\/Data> \
<Data>(?<Domain>([\w\d]+))<\/Data> \
<Data>(?<User>([\w\d]+))<\/Data> \
<Data>(?<SID>(S-[\d\-]+))<\/Data> \
<Data>(?<Filename>.*)<\/Data> \
<Data>(?<ID>(\d{9,11}))<\/Data> \
<Data>(?<SeverityID>(\d{1,2}))<\/Data> \
<Data>(?<CategoryID>(\d{1,3}))<\/Data> \
<Data>(?<FWLink>(http.*id=\d{10}))<\/Data> \
<Data>(?<PathFound>(file:\w{1}:.*\.\w{2,4}))<\/Data> \
<Data><\/Data> \
<Data><\/Data> \
<Data>\d+<\/Data> \
<Data>\%\%\d+<\/Data> \
<Data>\d+<\/Data> \
<Data>\%\%\d+<\/Data> \
<Data><\/Data> \
<Data><\/Data> \
<Data>(?<Severity>(\w+))<\/Data> \
<Data>(?<Category>(\w+))<\/Data>/
define EventID_3005_REGEX /(?x) \
<Data>(?<ClientVersion>(\d+\.\d+\.\d+\.\d+))<\/Data> \
<Data>(?<ScanID>(\{[\d\w\-]+\}))<\/Data> \
<Data><\/Data> \
<Data><\/Data> \
<Data><\/Data> \
<Data><\/Data> \
<Data>(?<Domain>([\w\d]+))<\/Data> \
<Data>(?<User>([\w\d]+))<\/Data> \
<Data>(?<SID>(S-[\d\-]+))<\/Data> \
<Data>(?<Filename>.*)<\/Data> \
<Data>(?<ID>(\d{9,11}))<\/Data> \
<Data>(?<SeverityID>(\d{1,2}))<\/Data> \
<Data>(?<CategoryID>(\d{1,3}))<\/Data> \
<Data>(?<FWLink>(http.*id=\d{10}))<\/Data> \
<Data><\/Data> \
<Data>\d+<\/Data> \
<Data>\%\%\d+<\/Data> \
<Data>\d+<\/Data> \
<Data>\%\%\d+<\/Data> \
<Data><\/Data> \
<Data><\/Data> \
<Data><\/Data> \
<Data><\/Data> \
<Data>(?<Severity>(\w+))<\/Data> \
<Data>(?<Category>(\w+))<\/Data>/
define EventID_1000-1002_REGEX /(?x) \
<Data>(?<ClientVersion>(\d+\.\d+\.\d+\.\d+))<\/Data> \
<Data>(?<ScanID>(\{[\d\w\-]+\}))<\/Data> \
<Data>\d+<\/Data> \
<Data>\%\%\d{3}<\/Data> \
<Data>\d+<\/Data> \
<Data>\%\%\d{3}<\/Data> \
<Data>(?<Domain>([\w\d]+))<\/Data> \
<Data>(?<User>([\w\d]+))<\/Data> \
<Data>(?<SID>(S-[\d\-]+))<\/Data>/
define EventID_5007_REGEX /(?x) \
<Data>(?<ClientVersion>(\d+\.\d+\.\d+\.\d+))<\/Data> \
<Data>(?<Old_value>.*)<\/Data> \
<Data>(?<New_value>.*)<\/Data> \
<Data><\/Data> \
<Data><\/Data>/
define EventID_5008_REGEX /(?x) \
<Data>(?<ClientVersion>(\d+\.\d+\.\d+\.\d+))<\/Data> \
<Data>(?<Resource>file(.*))<\/Data> \
<Data>\d{1} /
define EventID_1006_REGEX /(?x) \
<Data>(?<ClientVersion>(\d+\.\d+\.\d+\.\d+))<\/Data> \
<Data>(?<ScanID>(\{[\d\w\-]+\}))<\/Data> \
<Data>\d+<\/Data> \
<Data>\%\%\d{3}<\/Data> \
<Data>\d+<\/Data> \
<Data>\%\%\d{3}<\/Data> \
<Data>(?<Domain>([\w\d]+))<\/Data> \
<Data>(?<User>([\w\d]+))<\/Data> \
<Data>(?<SID>(S-[\d\-]+))<\/Data> \
<Data>(?<Filename>.*)<\/Data> \
<Data>(?<ID>(\d{9,11}))<\/Data> \
<Data>(?<SeverityID>(\d{1,2}))<\/Data> \
<Data>(?<CategoryID>(\d{1,3}))<\/Data> \
<Data>(?<FWLink>(http.*id=\d{10}))<\/Data> \
<Data>(?<PathFound>(file:\w{1}:.*\.\w{2,4}))<\/Data> /
define EventID_1007_REGEX /(?x) \
<Data>(?<ClientVersion>(\d+\.\d+\.\d+\.\d+))<\/Data> \
<Data>(?<ScanID>(\{[\d\w\-]+\}))<\/Data> \
<Data>\d+<\/Data> \
<Data>\%\%\d{3}<\/Data> \
<Data>\d+<\/Data> \
<Data><\/Data> \
<Data>(?<Domain>([\w\d]+))<\/Data> \
<Data>(?<User>([\w\d]+))<\/Data> \
<Data>(?<SID>(S-[\d\-]+))<\/Data> \
<Data>(?<Filename>.*)<\/Data> \
<Data>(?<ID>(\d{9,11}))<\/Data> \
<Data>(?<SeverityID>(\d{1,2}))<\/Data> \
<Data>(?<CategoryID>(\d{1,3}))<\/Data> \
<Data>(?<FWLink>(http.*id=\d{10}))<\/Data> /
<Input scep_fcsam>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Application">
*[System[Provider[@Name='FCSAM']]]</Select>
<Select Path="Security">*[System[Provider[@Name='FCSAM']]]</Select>
<Select Path="System">*[System[Provider[@Name='FCSAM']]]</Select>
</Query>
</QueryList>
</QueryXML>
<Exec>
#Drop events not defined in FCSAMEvents
if ($EventID NOT IN (%FCSAMEvents%)) drop();
#1. Regex for EventID==3004 event in $EventData section.
else if ($EventID == 3004)
$EventData =~ %EventID_3004_REGEX%;
#2. Regex for EventID==3005 event in $EventData section.
else if ($EventID == 3005)
$EventData =~ %EventID_3005_REGEX%;
#3. Regex for 1000-1002 event in $EventData section.
else if ($EventID IN (1000, 1001, 1002))
$EventData =~ %EventID_1000-1002_REGEX%;
#4. Regex for EventID==5007 event in $EventData section.
else if ($EventID == 5007)
$EventData =~ %EventID_5007_REGEX%;
#5. Regex for EventID==5008 event in $EventData section.
else if ($EventID == 5008)
$EventData =~ %EventID_5008_REGEX%;
#6. Regex for EventID==1006 event in $EventData section.
else if ($EventID == 1006)
$EventData =~ %EventID_1006_REGEX%;
#7. Regex for EventID==1007 event in $EventData section.
else if ($EventID == 1007)
$EventData =~ %EventID_1007_REGEX%;
to_json();
</Exec>
</Input>
{
"EventTime": "2019-01-11T12:19:22.000000+01:00",
"Hostname": "Host.DOMAIN.local",
"Keywords": "36028797018963968",
"EventType": "WARNING",
"SeverityValue": 3,
"Severity": "Severe",
"EventID": 3004,
"SourceName": "FCSAM",
"TaskValue": 0,
"RecordNumber": 11595,
"ExecutionProcessID": 0,
"ExecutionThreadID": 0,
"Channel": "System",
"Message": "Microsoft Forefront Client Security Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Microsoft Forefront Client Security can't undo changes that you allow.\r\n For more information please see the following:\r\nhttp://go.microsoft.com/fwlink/?linkid=37020&name=EICAR_Test_File&threatid=2147519003\r\n \tScan ID: {92224018-9446-4C2D-AFCB-EC4456B8859E}\r\n \tAgent: On Access\r\n \tUser: DOMAIN\\admin\r\n \tName: EICAR_Test_File\r\n \tID: 2147519003\r\n \tSeverity: Severe\r\n \tCategory: Virus\r\n \tPath Found: file:C:\\Users\\admin\\Downloads\\eicar.com(2).txt\r\n \tAlert Type: \r\n \tProcess Name: C:\\Program Files\\Mozilla Firefox\\firefox.exe\r\n \tDetection Type: Concrete\r\n \tStatus: Suspend",
"Opcode": "Info",
"EventData": "<Data>%%830</Data><Data>1.5.1937.0</Data><Data>{92224018-9446-4C2D-AFCB-EC4456B8859E}</Data><Data>10</Data><Data>%%843</Data><Data></Data><Data>C:\\Program Files\\Mozilla Firefox\\firefox.exe</Data><Data>DOMAIN</Data><Data>admin</Data><Data>S-1-5-21-314323950-2314161084-4234690932-1002</Data><Data>EICAR_Test_File</Data><Data>2147519003</Data><Data>5</Data><Data>42</Data><Data>http://go.microsoft.com/fwlink/?linkid=37020&name=EICAR_Test_File&threatid=2147519003</Data><Data>file:C:\\Users\\admin\\Downloads\\eicar.com(2).txt</Data><Data></Data><Data></Data><Data>4</Data><Data>%%814</Data><Data>0</Data><Data>%%823</Data><Data></Data><Data></Data><Data>Severe</Data><Data>Virus</Data><Data></Data><Data></Data>",
"EventReceivedTime": "2019-01-11T12:19:22.883100+01:00",
"SourceModuleName": "scep_fcsam",
"SourceModuleType": "im_msvistalog",
"Category": "Virus",
"CategoryID": "42",
"ClientVersion": "1.5.1937.0",
"FWLink": "http://go.microsoft.com/fwlink/?linkid=37020&name=EICAR_Test_File&threatid=2147519003",
"Filename": "EICAR_Test_File",
"ID": "2147519003",
"PathFound": "file:C:\\Users\\admin\\Downloads\\eicar.com(2).txt",
"ProcessName": "C:\\Program Files\\Mozilla Firefox\\firefox.exe",
"SID": "S-1-5-21-314323950-2314161084-4234690932-1002",
"ScanID": "{92224018-9446-4C2D-AFCB-EC4456B8859E}",
"SeverityID": "5",
"User": "DOMAIN \\ admin"
}
Collecting Microsoft SCEP log files
The SCEP client creates log files in the %allusersprofile%\Microsoft\Microsoft Antimalware\Support
directory.
Logging in these files provides information about:
-
Definition updates
-
Malware detection
-
Monitoring alerts
2019-06-08T13:35:31.153Z Service started - System Center Endpoint Protection \
(DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)
2019-05-31T17:15:17.383Z Process scan (postsignatureupdatescan) started.
Signature updated via MMPC on 05-31-2019 19:15:17
In addition, you can also find SCEP client installation logs in %allusersprofile%\Microsoft\Microsoft Security Client\Support
.
SUCCESS 2019/05/31 19:12:05:782 TID:4700 PID:4692
Setup ended successfully with result: The operation completed successfully. [00000000]
=== Verbose logging stopped: 5/31/2019 19:11:59 ===
MSI (s) (28:2C) [19:11:59:329]: Destroying RemoteAPI object.
The following configuration uses the im_file input module to collect Microsoft SCEP logs. Since the SCEP client writes log files in the UTF-16LE character encoding, the xm_charconv extension module is used to convert the input to UTF-8.
<Extension charconv>
Module xm_charconv
LineReader UTF-16LE
</Extension>
<Extension json>
Module xm_json
</Extension>
<Input scep_client>
Module im_file
File 'C:\ProgramData\Microsoft\Microsoft Antimalware\Support\' + \
'MPDetection-*.log'
File 'C:\ProgramData\Microsoft\Microsoft Antimalware\Support\' + \
'MPLog-*.log'
File 'C:\ProgramData\Microsoft\Microsoft Security Client\Support\' + \
'EppSetup.log'
File 'C:\ProgramData\Microsoft\Microsoft Security Client\Support\' + \
'MSSecurityClient_Setup*.log'
InputType charconv
<Exec>
file_name() =~ /(?<FileName>[^\\]+)$/;
if $FileName =~ /MPLog|MPDetection/
{
if $raw_event =~ /(.*\.\d{3}Z)\s+(.*)/
{
$EventTime = $1;
$Message = $2;
}
else
{
$Message = $raw_event;
}
}
if $FileName =~ /EppSetup/
{
if $raw_event =~ /(\w+)\s+(.*)\s+TID\:(\d+)\s+PID\:(\d+)/
{
$Status = $1;
$EventTime = $2;
$TID = $3;
$PID = $4;
}
else
{
$Message = $raw_event;
}
}
if $FileName =~ /MSSecurityClient_Setup/
{
if $raw_event =~ /.*\[(.*)\]\:(.*)/
{
$EventTime = $1;
$Message = $2;
}
else
{
$Message = $raw_event;
}
}
to_json();
</Exec>
</Input>
{
"EventReceivedTime": "2019-06-16T14:24:51.746591+02:00",
"SourceModuleName": "scep_client",
"SourceModuleType": "im_file",
"Filename": "MPDetection-05312019-191154.log",
"EventTime": "2019-06-08T13:35:31.153Z",
"Message": "Service started - System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)"
}
{
"EventReceivedTime": "2019-06-16T14:36:04.642769+02:00",
"SourceModuleName": "scep_client",
"SourceModuleType": "im_file",
"Filename": "MPLog-05312019-191154.log",
"EventTime": "2019-05-31T17:15:17.383Z",
"Message": "Process scan (postsignatureupdatescan) started."
}
{
"EventReceivedTime": "2019-06-16T14:39:07.127660+02:00",
"SourceModuleName": "scep_client",
"SourceModuleType": "im_file",
"Filename": "EppSetup.log",
"Status": "SUCCESS",
"EventTime": "2019/05/31 19:12:05:782",
"TID": "4700",
"PID": "4692"
}
{
"EventReceivedTime": "2019-06-16T14:39:07.127660+02:00",
"SourceModuleName": "scep_client",
"SourceModuleType": "im_file",
"Filename": "EppSetup.log",
"Message": "Setup ended successfully with result: The operation completed successfully."
}
{
"EventReceivedTime": "2019-06-16T14:22:17.824508+02:00",
"SourceModuleName": "scep_client",
"SourceModuleType": "im_file",
"Filename": "MSSecurityClient_Setup_4.7.213.0_epp_Install.log",
"Message": "=== Verbose logging stopped: 5/31/2019 19:11:59 ==="
}
{
"EventReceivedTime": "2019-06-16T14:22:17.824508+02:00",
"SourceModuleName": "scep_client",
"SourceModuleType": "im_file",
"Filename": "MSSecurityClient_Setup_4.7.213.0_epp_Install.log",
"EventTime": "19:11:59:329",
"Message": " Destroying RemoteAPI object."
}
Collecting Microsoft SCEP database logs
Microsoft System Center Endpoint Protection also logs data to a Microsoft Server SQL database.
The following configuration uses the im_odbc input module to query the SCCM database. It defines two SQL queries collecting Last Malware alerts and AV Detection alerts.
<Extension json>
Module xm_json
</Extension>
<Input last_malware>
Module im_odbc
ConnectionString DSN=SMS;database=CM_CND;uid=user;pwd=password;
IdType timestamp
SQL SELECT DetectionTime as id,* \
FROM vEP_LastMalware \
WHERE DetectionTime > CAST(? AS datetime)
Exec to_json();
</Input>
<Input av_detections>
Module im_odbc
ConnectionString DSN=SMS;database=CM_CND;uid=user;pwd=password;
IdType timestamp
SQL SELECT DetectionTime as id,* \
FROM v_GS_Threats \
INNER JOIN v_R_System \
ON v_GS_Threats.ResourceID=v_R_System.ResourceID \
WHERE DetectionTime > CAST(? AS datetime)
Exec to_json();
</Input>
{
"id": "2019-06-20T18:21:14.050000+02:00",
"RecordID": 72057594037997950,
"MachineID": 16777219,
"LastMessageTime": "2019-06-20T18:21:22.597000+02:00",
"LastMessageSerialNumber": 102,
"DetectionTime": "2019-06-20T18:21:14.050000+02:00",
"ActionTime": "2019-06-20T18:21:22.573000+02:00",
"ProductVersion": "4.7.213.0",
"DetectionID": "6A70D85D-1AB0-4F20-BCAB-9B9CCEEA5ED5",
"DetectionSource": 1,
"PendingActions": 0,
"Process": "Unknown",
"UserID": 16777217,
"ThreatName": "Virus:DOS/EICAR_Test_File",
"ThreatID": 2147519003,
"SeverityID": 5,
"CategoryID": 42,
"Path": "file:_C:\\Users\\admin\\Downloads\\eicar.com;file:_C:\\Users\\admin\\Downloads\\eicar.com.txt",
"CleaningAction": 2,
"ExecutionStatus": 0,
"ActionSuccess": true,
"ErrorCode": 0,
"RemainingActions": 0,
"LastRemainingActionsCleanTime": null,
"EventReceivedTime": "2019-06-20T20:22:28.050844+02:00",
"SourceModuleName": "last_malware",
"SourceModuleType": "im_odbc"
}
Microsoft ceased support for System Center 2012 Endpoint Protection as of July 12, 2022. For more information, please refer to Microsoft System Center 2012 Endpoint Protection Lifecycle on Microsoft Docs. |