Can someone help with creating a query that filters and show the "file" info that is available when looking in a HIPS event below the Host IPS 8.0 Event Information.
I can filter on "target file path" but that does not contain the same info as in "file".
You can display the IPS Parameter Name = Files and then fileter for the specific IPS Parameter Value you want.
You can do that through the Reporting -> Threat Event Log
You should be able to set up a query for it as well.
Thanks for the feedback but I can't find what you describe.
Can you give some more details please.
I can't find "IPS parameter name". Not in queries and not in the HIPS event window .
In the Reporting for HIPS 8, you have to go under Actions and choose Choose Columns.
Are you running HIPS 8 and what version of epo are you running?
make sure the HIPS 8 extension is checked in as well.
I have 3 extensions for HIPS checked in :
* Host intrusion prevention 8.0.0
* Host IPS advanced
* Host IPS license
I don't find "IPS parameter name".
Do I miss an extension ?
there should be a listing for Host IPS 8.0 Expert Signature Info which contains these 2 fields under Filter and under Choose Columns.
If jj4sec is non DoD, he probably doesn't have the enhanced reporting package which is required to see these fields. that being said, i dont know how anyone tunes HIPS without this capability. it makes the task nearly impossible.
Its an ePO enhancement extension. It is not part of HIPS per se, but does make tuning easier.
where can I find this ?
I have the extension "advanced reporting" version 5.1.1 below "shared componentes" i the extensions
is it this or do I miss something ?