While performing testing of security alerts for the Symantec Endpoint Protection Cloud (SEPC) product, using eicar or similar tools, it is observed that alerts are not generated as expected following IPS or Autoprotect detections.
Endpoint Protection Cloud 2.0
Several Preconfigured Alert Rules which would be expected to be triggered during this type of testing are set to Inactive by default in the SEPC portal for newly created accounts:
High-risk threat remediated
High-risk intrusion detected
High-risk intrusion attempt blocked
Please note: This information is specific to "new" SEPC accounts (i.e. not customers who have been migrated from the SEP SBE product.)
If it's necessary to be alerted on these types of events, either for testing or for security monitoring purposes, please set these Alert Rules to Active:
Access the Alerts and Events page of the SEPC portal, then the Alert Rules tab.
Locate any Preconfigured Alert Rules which are set to Inactive.
Click on an Alert Rule name to edit that rule, then click the button to Activate Alert Rule:
Note: Be sure to set the appropriate filter when reviewing the Alerts tab for events of this type. It is recommended to adjust the Filter and set the severity level to All to ensure all Alert data is shown.
Subscribing will provide email updates when this Article is updated. Login is required.