cancel
Showing results for 
Search instead for 
Did you mean: 

How to view only events rated as a "Medium" level signature

We're in the process of tuning our HIPS policies for "Medium" level blocking, and are currently just logging for "Medium" events.

So with several weeks now of "medium" level logging on several hundred servers and workstations, I should be seeing some "medium" events in the event logs, but I seem to only be seeing the events from the "High" level signatures.

When running a query on the event logs, there only seems to be an option to search for "Threat Severity" with options of "critical", "warning", "emergency", etc but not for "High", "Medium", or "Low". (The query I run to view "High" signatures looks for "Threat Severity" 'critical'.)

So then how do you query for HIPS events that are specifically rated "Medium" and exclude "High" or "Low" events?

Thanks

PG

3 Replies
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: How to view only events rated as a "Medium" level signature

You can view the conversion between the severites in the ePO console within the Host IPS Events menu.  See attached screenshot.severity2.jpg

Re: How to view only events rated as a "Medium" level signature

Hmm, I tried querying for "Warning" level threats but 99% of what came back were AV related events but not HIPS. I'd be surprised that there would be almost no events coming back considering the number of systems that had Medium logging turned on.

Is that normal? I had assumed when we turned on Medium logging there would be a big jump in the number of events, and an even bigger jump when we moved to turning on logging for "Low" signatures.

Re: How to view only events rated as a "Medium" level signature

Also write your query to show Detecting Product Name = Host IPS. That will yield only those levels of events from Host IPS.