cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 4

HIPS - Managing HIPS events and information - Please share your thoughts

I have spoken to a couple of customers who have mentioned that querying and running HIPS related data/events is very cumbersome . Can you please share your experience around this ? What are the challenges you face and what would you like to see to make your job easier ?

Thanks

Endpoint product Management

3 Replies
wouterr
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 4

Re: HIPS - Managing HIPS events and information - Please share your thoughts

Investigating allot of IPS events is indeed impossible using ePo. therefore we query ePo database directly.

Why we are not using ePo:
no possibility to filter in IPS event parameters (HIP8_IPSEventParameter table) other then the file parameter in queries or in the system tree view

the "Host IPS 8.0" reporting module is just way too slow. Also here it's impossible to filter on IPS Event parameters, so you can only process one event at a time in stead of processing them in bulk.

note: if you mention Mcafee SIEM: same problem exists here: impossible to filter on IPS Event parameters


So with this arguments we switched from ePo to a simple SQL query which can query >100000 events in one second in a way we can investigate them properly

With the SQL query we transpose the HIP8_IPSEventParameter table and then join it with the EPOEvents, HIP8_EventInfo, EPOLeafNode and EPOBranchNode tables

this gives us a single view containing all IPS events on which we can easily query and filter for investigating these events.

Former Member
Not applicable
Report Inappropriate Content
Message 3 of 4

Re: HIPS - Managing HIPS events and information - Please share your thoughts

I'm pretty much love HIPS, but there are a lot of information you simply can not select in the queries. And often it's excatly those data you (I) want to get. I want to be allowed to query all information, that is available.

Then ther is the much annoying New Data field not in being in clear text, but must be DeHex'ed

ex: 720075006e0064006c006c00330032002e006500780065002000730074007200650061006d00630069002c00530074007200650061006d0069006e0067004400650076006900630065005300650074007500700020007b00390037006500620061006100630063002d0039003500620064002d0031003100640030002d0061003300650061002d003000300061003000630039003200320033003100390036007d002c007b00350033003100370032003400380030002d0034003700390031002d0031003100440030002d0041003500440036002d003200380044004200300034004300310030003000300030007d002c007b00350033003100370032003400380030002d0034003700390031002d0031003100440030002d0041003500440036002d003200380044004200300034004300310030003000300030007d000000

=

rundll32.exe streamci,StreamingDeviceSetup {97ebaacc-95bd-11d0-a3ea-00a0c9223196},{53172480-4791-11D0-A5D6-28DB04C10000},{53172480-4791-11D0-A5D6-28DB04C10000}

How do I even start making queries/Threats/custom rules when data also is unreadable. It's more than frustrating.

That said. When working a lot with HIPS, you get a bit used to the flaws. And I love the versatility of the product.

Former Member
Not applicable
Report Inappropriate Content
Message 4 of 4

Re: HIPS - Managing HIPS events and information - Please share your thoughts

Thank you team . This is useful info to have . Appreciate your time and thoughts on this

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community