Can someone help with creating a query that filters and show the "file" info that is available when looking in a HIPS event below the Host IPS 8.0 Event Information.
I can filter on "target file path" but that does not contain the same info as in "file".
You can display the IPS Parameter Name = Files and then fileter for the specific IPS Parameter Value you want.
You can do that through the Reporting -> Threat Event Log
You should be able to set up a query for it as well.
Thanks for the feedback but I can't find what you describe.
Can you give some more details please.
I can't find "IPS parameter name". Not in queries and not in the HIPS event window .
In the Reporting for HIPS 8, you have to go under Actions and choose Choose Columns.
Are you running HIPS 8 and what version of epo are you running?
make sure the HIPS 8 extension is checked in as well.
I have 3 extensions for HIPS checked in :
* Host intrusion prevention 8.0.0
* Host IPS advanced
* Host IPS license
I don't find "IPS parameter name".
Do I miss an extension ?
there should be a listing for Host IPS 8.0 Expert Signature Info which contains these 2 fields under Filter and under Choose Columns.
If jj4sec is non DoD, he probably doesn't have the enhanced reporting package which is required to see these fields. that being said, i dont know how anyone tunes HIPS without this capability. it makes the task nearly impossible.
where can I find this ?
I have the extension "advanced reporting" version 5.1.1 below "shared componentes" i the extensions
is it this or do I miss something ?