I was looking to get some assistance in syslogging DLP events to our SIEM.
I did setup syslog as a Registered Server, but these messages are encrypted and my SIEM has them garbled.
We'd like to know how we can get around this, or alternatively query the SQL database to pull in user activity information with a SQL query.
We need to have incidents monitored in our SIEM as soon as possible.
Please and thanks.
Start by creating an ePO DLP Incident query based on the data you are looking to build a SQL query on.
There is an option in ePO to view the details of a saved query. Under “Actions” you can “View SQL” to get a database query of the selected ePO query.
The “View SQL” action give you the SQL query that was used by ePO to generate the ePO query.
From there, you can look into the database structure to include additional information from other tables that are not available from a normal ePO DLP query. Unfourtunately, this is neccesary if you want more specific information from certain types of DLP events.