cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Jmac24
Level 12
Report Inappropriate Content
Message 1 of 3

Source file hash in summary table query

If I do a table list query I have the ability to choose to use source file hash but in the summary table queries there is no option to add a label for it.

What I'm trying to do is create a  multi group summary query that lists the threat name as the first label and the second would list source file hashes. In my filter I would be looking for one specific source file name.

The idea is that I have a simple list for all events sorted by source hash and I am going to use the hash as part of an exclusion set for known good files for specific access protection rules. 

Otherwise I have to create a query that uses some other criteria and looks for my source exe name, add a column for the source hash and then export it out to excel and find the different hash values there. While it's not the end of the world, it's an extra step that sometimes takes very long if the number of events is high (In many cases, they are since the purpose is to filter out the sources of high numbers of events that are known good in AP rules). 

Wanted to know if I am just missing the property when doing the summary table of if this would be a Product Idea to submit.

2 Replies
AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: Source file hash in summary table query

Hi @Jmac24,

Thank you for your post. By Summary table, May I know if you are referring to the queries pulled via Dashboard?

The Queries that would bear the data on Threat Events and the source or target hashes involved is the "Events" Query. The other queries do not facilitate the option of adding "Source File Hash" Property in the table in the ePO.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
Jmac24
Level 12
Report Inappropriate Content
Message 3 of 3

Re: Source file hash in summary table query

I was creating my own queries. Here's the premise:

We have a lot of access protection rules enabled, many McAfee defined, many that we have created. It's out top generator of events by far. Most events are in report only "would block" mode.

In an effort to tune the events we have a team reviewing the source processes generating the most events. After researching we get the task to tune them out with source process exclusions.

In an effort to be more secure we are looking at every location, hash and cert which is what we are adding for exclusions after the team researches each. In some cases, due to various product versions and implementations there are sometimes high numbers of hashes associated with a specific source EXE. Once all are researched I get approval for the exclusions to the AP policies.

My query will show the rule that the source is triggering on as a single group summary table. Gives me a nice list of any rules that source triggered on and how many events for each. I use that to add my exclusions into those rules (rather than a general exclusion for all AP rules).

My problem is that I have to then dig in to each group and sort by source hash to cover all of them. If I was able to add that as a field in a multi-group summary table it would list the hashes right there without the need to drill down or export the xls with the drill down tables.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community