cancel
Showing results for 
Search instead for 
Did you mean: 
scsslm
Level 7

Generate VID & PID report form ePO

Hello All,

I want to generate the following DLP report from ePO 5.1.1. Could you please advise.

  1. Get the VID and PID details
  2. When the VID and PID added in DLP (VID-PID) exception list.
  3. Only get the Blank VID & PID list

NOTE: I suspected the some particular brand (like Transend, HP etc., ) USB device can have Same VID & PID if yes how to manage (Block/Unblock) these kind of devices.Blank VID-PID.PNG

Regards,

Sekar

0 Kudos
3 Replies
chrisnlc
Level 10

Re: Generate VID & PID report form ePO

It's possible to get some of this. Assuming you are using 9.4 and above:

1) Duplicate the query/report 'DLP: Number of Incidents per rule set' and edit. (I use this report but you can use this or other incident type reports)

2) In the Columns section add USB Vendor ID and USB Product ID.

3) In the Filter section add 'Value is not Blank' = USB Vendor ID.

4) Save

5) Do the same thing again but this time:

6) In the Filter section use 'Value is Blank' = USB Vendor ID.

7) Save as a different name.

Now you have some of what you need:

  1. Get the VID and PID details - answered in lines 1 to 4
  2. When the VID and PID added in DLP (VID-PID) exception list. - Not possible AFAIK
  3. Only get the Blank VID & PID list - answered in lines 5 to 7

If the USB stick is rebranded but retains the same PID/VID then it would take some analysis to differentiate them. Perhaps the rebrander may change volume information and always start volume label with 'xyz123..' or something but that would be highly unreliable.

hope that all helps

0 Kudos
scsslm
Level 7

Re: Generate VID & PID report form ePO

Hi Chris,

Thank you for your support.

I am using DLP version 9.3.425.4.

And I have selected the following options in Filter in my report.

Evidence Type "Equals to Vendor ID" and Evidence Value "Value is blank"

but it's not getting any results.

Please advise.

Thanks & Regards,

Sekar

0 Kudos
chrisnlc
Level 10

Re: Generate VID & PID report form ePO

For 9.3 it's a little trickier

1) In queries and reports select New

2) choose Others then DLP 9.3 Events and Next

3) Choose list/Table and Next

4) Choose Evidence Type and Evidence Value from column selector under 'DLP 9.3 Events Evidence Data'

5) Also make sure Event ID, Computer Name, Rules fields are there at a minimum. then Next

6) If you have millions of events then filter on (Occurred UTC) in the filter section.

7) Run.

8) After some processing you'll see the results. Select Action then Export Table

9) Choose CSV then 'Open or save from link'

10) When generated save the CSV somewhere.

Now you will have the info you need but it's how you process it. Personally I imported to Excel and used filtering on Evidence Type = Vendor ID and Product ID then made an Pivotable. It takes some work but you can get some useful data from this. I also used R/Rstudio if you happen to know that - then spin the data in many ways.

Maybe I should do a Youtube about it!

0 Kudos