If I do a table list query I have the ability to choose to use source file hash but in the summary table queries there is no option to add a label for it.
What I'm trying to do is create a multi group summary query that lists the threat name as the first label and the second would list source file hashes. In my filter I would be looking for one specific source file name.
The idea is that I have a simple list for all events sorted by source hash and I am going to use the hash as part of an exclusion set for known good files for specific access protection rules.
Otherwise I have to create a query that uses some other criteria and looks for my source exe name, add a column for the source hash and then export it out to excel and find the different hash values there. While it's not the end of the world, it's an extra step that sometimes takes very long if the number of events is high (In many cases, they are since the purpose is to filter out the sources of high numbers of events that are known good in AP rules).
Wanted to know if I am just missing the property when doing the summary table of if this would be a Product Idea to submit.
Thank you for your post. By Summary table, May I know if you are referring to the queries pulled via Dashboard?
The Queries that would bear the data on Threat Events and the source or target hashes involved is the "Events" Query. The other queries do not facilitate the option of adding "Source File Hash" Property in the table in the ePO.
Was my reply helpful? If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
I was creating my own queries. Here's the premise:
We have a lot of access protection rules enabled, many McAfee defined, many that we have created. It's out top generator of events by far. Most events are in report only "would block" mode.
In an effort to tune the events we have a team reviewing the source processes generating the most events. After researching we get the task to tune them out with source process exclusions.
In an effort to be more secure we are looking at every location, hash and cert which is what we are adding for exclusions after the team researches each. In some cases, due to various product versions and implementations there are sometimes high numbers of hashes associated with a specific source EXE. Once all are researched I get approval for the exclusions to the AP policies.
My query will show the rule that the source is triggering on as a single group summary table. Gives me a nice list of any rules that source triggered on and how many events for each. I use that to add my exclusions into those rules (rather than a general exclusion for all AP rules).
My problem is that I have to then dig in to each group and sort by source hash to cover all of them. If I was able to add that as a field in a multi-group summary table it would list the hashes right there without the need to drill down or export the xls with the drill down tables.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.