The second group of reports in SCEP focuses entirely on the users, which falls in line with Microsoft's mantra of focusing on users within SCCM 2012 as a whole. While the overall user focus provides for things, such as customized application delivery in the rest of SCCM, focus on users in SCEP allows you to monitor your problem children.
Every organization has them; the user that will happily open any attachment and fears no website on the Internet. The good news is that SCEP empowers you to monitor for repeat offenders, regardless what system they may be using.
To complete this recipe, you will need to be using an account that has at least the SCEP administrator role granted to it. You will also need to ensure that you've enabled Active Directory Users discovery in SCCM and that it has completed the discovery at least once before following this recipe.
Follow these steps:
- Log into your SCCM CAS server and launch your SCCM 2012 management console.
- Navigate to
MonitoringOverviewReportingReportsEndpoint Protectionand right-click on Top Users By Threats, and click on Run. - Select a collection to run this report again by clicking on the Values button and choosing a collection. You can also adjust the time span if you wish to do so. Click on the View Report button to execute the report.
- The report will return a list of users ranked by the number of malware events associated with that account, as shown in the following screenshot:
- To review the particular events a given user has experienced, click on a user name from the list. This will bring up the User Threat List report for that account, as shown in the following screenshot:
As SCEP collects a rich dataset for any malware event that has been detected, it is aware of any user who was logged in at that time. Possessing this information will allow you to identify patterns of behavior that expose your network to risk. That said, it is possible for many types of malware (such as a worm) to show up in a malware report for a computer that a given user was logged into, without the user having done anything.