Microsoft Endpoint Protection

The Microsoft Endpoint Protection DSM for IBM QRadar collects malware detection events.

QRadar collects malware detection events by using the JDBC protocol. Adding malware detection events to QRadar gives the capability to monitor and detect malware infected computers in your deployment.

Malware detection events include the following event types:

  • Site name and the source from which the malware was detected.
  • Threat name, threat ID, and severity.
  • User ID associated with the threat.
  • Event type, time stamp, and the cleaning action that is taken on the malware.

Configuration overview

The Microsoft Endpoint Protection DSM uses JDBC to poll an SQL database for malware detection event data. This DSM does not automatically discover. To integrate Microsoft Endpoint Protection with QRadar, take the following steps:

  1. If your database is not configured with Predefined Query, create an SQL database view for QRadar® with the malware detection event data.
  2. Configure a JDBC log source to poll for events from the Microsoft Endpoint Protection database. For information about configuring JDBC log source parameters for Microsoft Endpoint Protection, see Microsoft Endpoint Protection JDBC log source parameters for predefined database queries.
  3. Ensure that no firewall rules are blocking communication between QRadar and the database that is associated with Microsoft Endpoint Protection.