Microsoft System Center Endpoint Protection
Microsoft System Center Endpoint Protection (SCEP) is an anti-virus and anti-malware product for Windows environments that includes a Windows Firewall manager. SCEP (formerly called Forefront) is integrated into System Center, an enterprise system management product comprised of multiple modules that manages a Windows-based enterprise IT environment. For more information, see the Endpoint Protection documentation on Microsoft Docs.
Because the SCEP client logs events to Windows Event Log, it is possible to collect these events with NXLog.
EventData field from Windows Event Log
Some of the event data is stored as custom data in the EventData field of the events, as shown below.
The values are not labeled, but this data can be parsed using regular expressions, if the proper field names are known.
EventData field (excerpt with line breaks added)
<Data>%%830</Data>
<Data>1.5.1937.0</Data>
<Data>{92224018-9446-4C2D-AFCB-EC4456B8859E}</Data>
<Data>10</Data>
<Data>%%843</Data>
<Data></Data>
<Data>C:\\Program Files\\Mozilla Firefox\\firefox.exe</Data>
<Data>DOMAIN</Data>
<Data>admin</Data>
<Data>S-1-5-21-314323950-2314161084-4234690932-1002</Data>
<Data>EICAR_Test_File</Data>
<Data>2147519003</Data>
<Data>5</Data>
<Data>42</Data>
<Data>http://go.microsoft.com/fwlink/?linkid=37020&name=EICAR_Test_File&threatid=2147519003</Data>
<Data>file:C:\\Users\\admin\\Downloads\\eicar.com(2).txt</Data>
<Data></Data>
<Data></Data>
<Data>4</Data>
<Data>%%814</Data>
<Data>0</Data>
<Data>%%823</Data>
<Data></Data>
<Data></Data>
<Data>Severe</Data>
<Data>Virus</Data>
<Data></Data>
<Data></Data>Example 1. Collecting and parsing Microsoft Forefront (FCSAM) events from Windows Event Log
This configuration uses the im_msvistalog module to collect FCSAM client events from Windows Event Log.
This will result in an $EventData field in the event record containing <Data> entries similar to the previous example.
To extract values from the $EventData field, a regular expression is
selected based on the event ID. Then each <Data> entry is identified by
a combination of its position in the list and a pattern match on its value.
For example, the <Data>1.5.1937.0</Data> portion of the EventData string
is extracted and saved to the NXLog $ClientVersion field.
This example includes regular expressions for parsing event IDs 3004, 3005,
5007, 5008, 1000, 1001, 1002, 1006 and 1007. Some fields, which
are empty or otherwise do not contain useful data are skipped. The
configuration could be extended to parse other events logged by the FCSAM
client via adding more regular expressions, parsing multiple event IDs with a
single expression, and/or dividing the parsing into multiple expressions for a
single event.
nxlog.conf
<Extension _json>
Module xm_json
</Extension>
define FCSAMEvents 3004, 3005, 5007, 5008, 1000, 1001, 1002, 1006, 1007
define EventID_3004_REGEX /(?x) \
<Data>(?<ClientVersion>(\d+\.\d+\.\d+\.\d+))<\/Data> \
<Data>(?<ScanID>(\{[\d\w\-]+\}))<\/Data> \
<Data>\d+<\/Data> \
<Data>\%\%\d{3}<\/Data> \
<Data><\/Data> \
<Data>(?<ProcessName>(\w{1}:\\.*\.exe))<\/Data> \
<Data>(?<Domain>([\w\d]+))<\/Data> \
<Data>(?<User>([\w\d]+))<\/Data> \
<Data>(?<SID>(S-[\d\-]+))<\/Data> \
<Data>(?<Filename>.*)<\/Data> \
<Data>(?<ID>(\d{9,11}))<\/Data> \
<Data>(?<SeverityID>(\d{1,2}))<\/Data> \
<Data>(?<CategoryID>(\d{1,3}))<\/Data> \
<Data>(?<FWLink>(http.*id=\d{10}))<\/Data> \
<Data>(?<PathFound>(file:\w{1}:.*\.\w{2,4}))<\/Data> \
<Data><\/Data> \
<Data><\/Data> \
<Data>\d+<\/Data> \
<Data>\%\%\d+<\/Data> \
<Data>\d+<\/Data> \
<Data>\%\%\d+<\/Data> \
<Data><\/Data> \
<Data><\/Data> \
<Data>(?<Severity>(\w+))<\/Data> \
<Data>(?<Category>(\w+))<\/Data>/
define EventID_3005_REGEX /(?x) \
<Data>(?<ClientVersion>(\d+\.\d+\.\d+\.\d+))<\/Data> \
<Data>(?<ScanID>(\{[\d\w\-]+\}))<\/Data> \
<Data><\/Data> \
<Data><\/Data> \
<Data><\/Data> \
<Data><\/Data> \
<Data>(?<Domain>([\w\d]+))<\/Data> \
<Data>(?<User>([\w\d]+))<\/Data> \
<Data>(?<SID>(S-[\d\-]+))<\/Data> \
<Data>(?<Filename>.*)<\/Data> \
<Data>(?<ID>(\d{9,11}))<\/Data> \
<Data>(?<SeverityID>(\d{1,2}))<\/Data> \
<Data>(?<CategoryID>(\d{1,3}))<\/Data> \
<Data>(?<FWLink>(http.*id=\d{10}))<\/Data> \
<Data><\/Data> \
<Data>\d+<\/Data> \
<Data>\%\%\d+<\/Data> \
<Data>\d+<\/Data> \
<Data>\%\%\d+<\/Data> \
<Data><\/Data> \
<Data><\/Data> \
<Data><\/Data> \
<Data><\/Data> \
<Data>(?<Severity>(\w+))<\/Data> \
<Data>(?<Category>(\w+))<\/Data>/
define EventID_1000-1002_REGEX /(?x) \
<Data>(?<ClientVersion>(\d+\.\d+\.\d+\.\d+))<\/Data> \
<Data>(?<ScanID>(\{[\d\w\-]+\}))<\/Data> \
<Data>\d+<\/Data> \
<Data>\%\%\d{3}<\/Data> \
<Data>\d+<\/Data> \
<Data>\%\%\d{3}<\/Data> \
<Data>(?<Domain>([\w\d]+))<\/Data> \
<Data>(?<User>([\w\d]+))<\/Data> \
<Data>(?<SID>(S-[\d\-]+))<\/Data>/
define EventID_5007_REGEX /(?x) \
<Data>(?<ClientVersion>(\d+\.\d+\.\d+\.\d+))<\/Data> \
<Data>(?<Old_value>.*)<\/Data> \
<Data>(?<New_value>.*)<\/Data> \
<Data><\/Data> \
<Data><\/Data>/
define EventID_5008_REGEX /(?x) \
<Data>(?<ClientVersion>(\d+\.\d+\.\d+\.\d+))<\/Data> \
<Data>(?<Resource>file(.*))<\/Data> \
<Data>\d{1} /
define EventID_1006_REGEX /(?x) \
<Data>(?<ClientVersion>(\d+\.\d+\.\d+\.\d+))<\/Data> \
<Data>(?<ScanID>(\{[\d\w\-]+\}))<\/Data> \
<Data>\d+<\/Data> \
<Data>\%\%\d{3}<\/Data> \
<Data>\d+<\/Data> \
<Data>\%\%\d{3}<\/Data> \
<Data>(?<Domain>([\w\d]+))<\/Data> \
<Data>(?<User>([\w\d]+))<\/Data> \
<Data>(?<SID>(S-[\d\-]+))<\/Data> \
<Data>(?<Filename>.*)<\/Data> \
<Data>(?<ID>(\d{9,11}))<\/Data> \
<Data>(?<SeverityID>(\d{1,2}))<\/Data> \
<Data>(?<CategoryID>(\d{1,3}))<\/Data> \
<Data>(?<FWLink>(http.*id=\d{10}))<\/Data> \
<Data>(?<PathFound>(file:\w{1}:.*\.\w{2,4}))<\/Data> /
define EventID_1007_REGEX /(?x) \
<Data>(?<ClientVersion>(\d+\.\d+\.\d+\.\d+))<\/Data> \
<Data>(?<ScanID>(\{[\d\w\-]+\}))<\/Data> \
<Data>\d+<\/Data> \
<Data>\%\%\d{3}<\/Data> \
<Data>\d+<\/Data> \
<Data><\/Data> \
<Data>(?<Domain>([\w\d]+))<\/Data> \
<Data>(?<User>([\w\d]+))<\/Data> \
<Data>(?<SID>(S-[\d\-]+))<\/Data> \
<Data>(?<Filename>.*)<\/Data> \
<Data>(?<ID>(\d{9,11}))<\/Data> \
<Data>(?<SeverityID>(\d{1,2}))<\/Data> \
<Data>(?<CategoryID>(\d{1,3}))<\/Data> \
<Data>(?<FWLink>(http.*id=\d{10}))<\/Data> /
<Input in>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Application">
*[System[Provider[@Name='FCSAM']]]</Select>
<Select Path="Security">*[System[Provider[@Name='FCSAM']]]</Select>
<Select Path="System">*[System[Provider[@Name='FCSAM']]]</Select>
</Query>
</QueryList>
</QueryXML>
<Exec>
#Drop events not defined in FCSAMEvents
if ($EventID NOT IN (%FCSAMEvents%)) drop();
#1. Regex for EventID==3004 event in $EventData section.
else if ($EventID == 3004)
$EventData =~ %EventID_3004_REGEX%;
#2. Regex for EventID==3005 event in $EventData section.
else if ($EventID == 3005)
$EventData =~ %EventID_3005_REGEX%;
#3. Regex for 1000-1002 event in $EventData section.
else if ($EventID IN (1000, 1001, 1002))
$EventData =~ %EventID_1000-1002_REGEX%;
#4. Regex for EventID==5007 event in $EventData section.
else if ($EventID == 5007)
$EventData =~ %EventID_5007_REGEX%;
#5. Regex for EventID==5008 event in $EventData section.
else if ($EventID == 5008)
$EventData =~ %EventID_5008_REGEX%;
#6. Regex for EventID==1006 event in $EventData section.
else if ($EventID == 1006)
$EventData =~ %EventID_1006_REGEX%;
#7. Regex for EventID==1007 event in $EventData section.
else if ($EventID == 1007)
$EventData =~ %EventID_1007_REGEX%;
to_json();
</Exec>
</Input>Event sample
{
"EventTime": "2019-01-11T12:19:22.000000+01:00",
"Hostname": "Host.DOMAIN.local",
"Keywords": "36028797018963968",
"EventType": "WARNING",
"SeverityValue": 3,
"Severity": "Severe",
"EventID": 3004,
"SourceName": "FCSAM",
"TaskValue": 0,
"RecordNumber": 11595,
"ExecutionProcessID": 0,
"ExecutionThreadID": 0,
"Channel": "System",
"Message": "Microsoft Forefront Client Security Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Microsoft Forefront Client Security can't undo changes that you allow.\r\n For more information please see the following:\r\nhttp://go.microsoft.com/fwlink/?linkid=37020&name=EICAR_Test_File&threatid=2147519003\r\n \tScan ID: {92224018-9446-4C2D-AFCB-EC4456B8859E}\r\n \tAgent: On Access\r\n \tUser: DOMAIN\\admin\r\n \tName: EICAR_Test_File\r\n \tID: 2147519003\r\n \tSeverity: Severe\r\n \tCategory: Virus\r\n \tPath Found: file:C:\\Users\\admin\\Downloads\\eicar.com(2).txt\r\n \tAlert Type: \r\n \tProcess Name: C:\\Program Files\\Mozilla Firefox\\firefox.exe\r\n \tDetection Type: Concrete\r\n \tStatus: Suspend",
"Opcode": "Info",
"EventData": "<Data>%%830</Data><Data>1.5.1937.0</Data><Data>{92224018-9446-4C2D-AFCB-EC4456B8859E}</Data><Data>10</Data><Data>%%843</Data><Data></Data><Data>C:\\Program Files\\Mozilla Firefox\\firefox.exe</Data><Data>DOMAIN</Data><Data>admin</Data><Data>S-1-5-21-314323950-2314161084-4234690932-1002</Data><Data>EICAR_Test_File</Data><Data>2147519003</Data><Data>5</Data><Data>42</Data><Data>http://go.microsoft.com/fwlink/?linkid=37020&name=EICAR_Test_File&threatid=2147519003</Data><Data>file:C:\\Users\\admin\\Downloads\\eicar.com(2).txt</Data><Data></Data><Data></Data><Data>4</Data><Data>%%814</Data><Data>0</Data><Data>%%823</Data><Data></Data><Data></Data><Data>Severe</Data><Data>Virus</Data><Data></Data><Data></Data>",
"EventReceivedTime": "2019-01-11T12:19:22.883100+01:00",
"SourceModuleName": "in",
"SourceModuleType": "im_msvistalog",
"Category": "Virus",
"CategoryID": "42",
"ClientVersion": "1.5.1937.0",
"FWLink": "http://go.microsoft.com/fwlink/?linkid=37020&name=EICAR_Test_File&threatid=2147519003",
"Filename": "EICAR_Test_File",
"ID": "2147519003",
"PathFound": "file:C:\\Users\\admin\\Downloads\\eicar.com(2).txt",
"ProcessName": "C:\\Program Files\\Mozilla Firefox\\firefox.exe",
"SID": "S-1-5-21-314323950-2314161084-4234690932-1002",
"ScanID": "{92224018-9446-4C2D-AFCB-EC4456B8859E}",
"SeverityID": "5",
"User": "DOMAIN \\ admin"
}Collecting and parsing Microsoft SCEP data from log files
SCEP client log files are located in the %allusersprofile%\Microsoft\Microsoft Antimalware\Support directory.
These logs contain the following client actions:
-
Definition updates
-
Malware detections
-
Monitoring alerts
Input sample - MPDetection
2019-06-08T13:35:31.153Z Service started - System Center Endpoint Protection \
(DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)Input sample - MPLog
2019-05-31T17:15:17.383Z Process scan (postsignatureupdatescan) started.
Signature updated via MMPC on 05-31-2019 19:15:17SCEP client installation logs location
%allusersprofile%\Microsoft\Microsoft Security Client\SupportInput sample - EppSetup
SUCCESS 2019/05/31 19:12:05:782 TID:4700 PID:4692
Setup ended successfully with result: The operation completed successfully. [00000000] Input sample - MSSecurityClient_Setup
=== Verbose logging stopped: 5/31/2019 19:11:59 ===
MSI (s) (28:2C) [19:11:59:329]: Destroying RemoteAPI object.Example 2. Collecting and parsing Microsoft SCEP data from log files
The following configuration collects events from SCEP files with the im_file module.
Logs are written in the UTF-16LE character encoding, so the xm_charconv extension module is used to convert the input.
nxlog.conf
<Extension charconv>
Module xm_charconv
LineReader UTF-16LE
</Extension>
<Extension _json>
Module xm_json
</Extension>
<Input Antimalware>
Module im_file
File 'C:\ProgramData\Microsoft\Microsoft Antimalware\Support\' + \
'MPDetection-*.log'
File 'C:\ProgramData\Microsoft\Microsoft Antimalware\Support\' + \
'MPLog-*.log'
File 'C:\ProgramData\Microsoft\Microsoft Security Client\Support\' + \
'EppSetup.log'
File 'C:\ProgramData\Microsoft\Microsoft Security Client\Support\' + \
'MSSecurityClient_Setup*.log'
ReadFromLast TRUE
InputType charconv
<Exec>
file_name() =~ /(?<Filename>[^\\]+)$/;
if $FileName =~ /MPLog|MPDetection/
if $raw_event =~ /(.*\.\d{3}Z)\s+(.*)/
{
$EventTime = $1;
$Message = $2;
}
else
{
$Message = $raw_event;
}
if $FileName =~ /EppSetup/
if $raw_event =~ /(\w+)\s+(.*)\s+TID\:(\d+)\s+PID\:(\d+)/
{
$Status = $1;
$EventTime = $2;
$TID = $3;
$PID = $4;
}
else
{
$Message = $raw_event;
}
if $FileName =~ /MSSecurityClient_Setup/
if $raw_event =~ /.*\[(.*)\]\:(.*)/
{
$EventTime = $1;
$Message = $2;
}
else
{
$Message = $raw_event;
}
to_json();
</Exec>
</Input>Event sample - MPDetection
{
"EventReceivedTime": "2019-06-16T14:24:51.746591+02:00",
"SourceModuleName": "Antimalware",
"SourceModuleType": "im_file",
"Filename": "MPDetection-05312019-191154.log",
"EventTime": "2019-06-08T13:35:31.153Z",
"Message": "Service started - System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)"
}Event sample - MPLog
{
"EventReceivedTime": "2019-06-16T14:36:04.642769+02:00",
"SourceModuleName": "Antimalware",
"SourceModuleType": "im_file",
"Filename": "MPLog-05312019-191154.log",
"Message": "************************************************************"
}
{
"EventReceivedTime": "2019-06-16T14:36:04.642769+02:00",
"SourceModuleName": "Antimalware",
"SourceModuleType": "im_file",
"Filename": "MPLog-05312019-191154.log",
"EventTime": "2019-05-31T17:15:17.383Z",
"Message": "Process scan (postsignatureupdatescan) started."
}Event sample - EppSetup
{
"EventReceivedTime": "2019-06-16T14:39:07.127660+02:00",
"SourceModuleName": "Antimalware",
"SourceModuleType": "im_file",
"Filename": "EppSetup.log",
"Status": "SUCCESS",
"EventTime": "2019/05/31 19:12:05:782",
"TID": "4700",
"PID": "4692"
}
{
"EventReceivedTime": "2019-06-16T14:39:07.127660+02:00",
"SourceModuleName": "Antimalware",
"SourceModuleType": "im_file",
"Filename": "EppSetup.log",
"Message": "Setup ended successfully with result: The operation completed successfully."
}Event sample - MSSecurityClient_Setup
{
"EventReceivedTime": "2019-06-16T14:22:17.824508+02:00",
"SourceModuleName": "Antimalware",
"SourceModuleType": "im_file",
"Filename": "MSSecurityClient_Setup_4.7.213.0_epp_Install.log",
"Message": "=== Verbose logging stopped: 5/31/2019 19:11:59 ==="
}
{
"EventReceivedTime": "2019-06-16T14:22:17.824508+02:00",
"SourceModuleName": "Antimalware",
"SourceModuleType": "im_file",
"Filename": "MSSecurityClient_Setup_4.7.213.0_epp_Install.log",
"EventTime": "19:11:59:329",
"Message": " Destroying RemoteAPI object."
}Collecting and parsing SCEP data from an SQL database
SCEP (SCCM) also logs data to an SQL database.
Example 3. Collecting and parsing SCEP data from an SQL database
The following configuration queries the SCCM database with the im_odbc module. This example contains two SQL queries collecting Last Malware alerts and AV Detection alerts.
nxlog.conf
<Extension _json>
Module xm_json
</Extension>
<Input last_malware>
Module im_odbc
ConnectionString DSN=SMS;database=CM_CND;uid=user;pwd=password;
IdType timestamp
SQL SELECT DetectionTime as id,* \
FROM vEP_LastMalware \
WHERE DetectionTime > CAST(? AS datetime)
Exec to_json();
</Input>
<Input av_detections>
Module im_odbc
ConnectionString DSN=SMS;database=CM_CND;uid=user;pwd=password;
IdType timestamp
SQL SELECT DetectionTime as id,* \
FROM v_GS_Threats \
INNER JOIN v_R_System \
ON v_GS_Threats.ResourceID=v_R_System.ResourceID \
WHERE DetectionTime > CAST(? AS datetime)
Exec to_json();
</Input>Event sample - last malware
{
"id": "2019-06-20T18:21:14.050000+02:00",
"RecordID": 72057594037997950,
"MachineID": 16777219,
"LastMessageTime": "2019-06-20T18:21:22.597000+02:00",
"LastMessageSerialNumber": 102,
"DetectionTime": "2019-06-20T18:21:14.050000+02:00",
"ActionTime": "2019-06-20T18:21:22.573000+02:00",
"ProductVersion": "4.7.213.0",
"DetectionID": "6A70D85D-1AB0-4F20-BCAB-9B9CCEEA5ED5",
"DetectionSource": 1,
"PendingActions": 0,
"Process": "Unknown",
"UserID": 16777217,
"ThreatName": "Virus:DOS/EICAR_Test_File",
"ThreatID": 2147519003,
"SeverityID": 5,
"CategoryID": 42,
"Path": "file:_C:\\Users\\admin\\Downloads\\eicar.com;file:_C:\\Users\\admin\\Downloads\\eicar.com.txt",
"CleaningAction": 2,
"ExecutionStatus": 0,
"ActionSuccess": true,
"ErrorCode": 0,
"RemainingActions": 0,
"LastRemainingActionsCleanTime": null,
"EventReceivedTime": "2019-06-20T20:22:28.050844+02:00",
"SourceModuleName": "last_malware",
"SourceModuleType": "im_odbc"
}