I want to generate the following DLP report from ePO 5.1.1. Could you please advise.
NOTE: I suspected the some particular brand (like Transend, HP etc., ) USB device can have Same VID & PID if yes how to manage (Block/Unblock) these kind of devices.
It's possible to get some of this. Assuming you are using 9.4 and above:
1) Duplicate the query/report 'DLP: Number of Incidents per rule set' and edit. (I use this report but you can use this or other incident type reports)
2) In the Columns section add USB Vendor ID and USB Product ID.
3) In the Filter section add 'Value is not Blank' = USB Vendor ID.
5) Do the same thing again but this time:
6) In the Filter section use 'Value is Blank' = USB Vendor ID.
7) Save as a different name.
Now you have some of what you need:
If the USB stick is rebranded but retains the same PID/VID then it would take some analysis to differentiate them. Perhaps the rebrander may change volume information and always start volume label with 'xyz123..' or something but that would be highly unreliable.
hope that all helps
Thank you for your support.
I am using DLP version 9.3.425.4.
And I have selected the following options in Filter in my report.
Evidence Type "Equals to Vendor ID" and Evidence Value "Value is blank"
but it's not getting any results.
Thanks & Regards,
For 9.3 it's a little trickier
1) In queries and reports select New
2) choose Others then DLP 9.3 Events and Next
3) Choose list/Table and Next
4) Choose Evidence Type and Evidence Value from column selector under 'DLP 9.3 Events Evidence Data'
5) Also make sure Event ID, Computer Name, Rules fields are there at a minimum. then Next
6) If you have millions of events then filter on (Occurred UTC) in the filter section.
8) After some processing you'll see the results. Select Action then Export Table
9) Choose CSV then 'Open or save from link'
10) When generated save the CSV somewhere.
Now you will have the info you need but it's how you process it. Personally I imported to Excel and used filtering on Evidence Type = Vendor ID and Product ID then made an Pivotable. It takes some work but you can get some useful data from this. I also used R/Rstudio if you happen to know that - then spin the data in many ways.
Maybe I should do a Youtube about it!