cancel
Showing results for 
Search instead for 
Did you mean: 
dhalliday
Level 7

Retrieving Host IPS 8.0 Event Information from the database - how??

I have a team of folks that is interested in seeing the HIPS event information that comes along with the threat data related to the following fields:

Target File Name

Target Fingerprint

Target Path

Does anyone know what the table references are for these fields and how we can add them to the query below?

select [EPOEvents].[DetectedUTC], [EPOEvents].[TargetHostName], [EPOEvents].[ThreatName], [EPOEvents].[AnalyzerIPV4], [EPOEvents].[SourceIPV4], [EPOEvents].[SourceURL], [HIP8_EventInfo].[Direction], [HIP8_EventInfo].[AppSigner], [HIP8_EventInfo].[AppDesc], [HIP8_EventInfo].[AppHash], [HIP8_EventInfo].[Hidden], [HIP8_EventInfo].[LocalIPAddress], [HIP8_EventInfo].[LocalPort], [HIP8_EventInfo].[Protocol], [HIP8_EventInfo].[Read], [HIP8_EventInfo].[RemotePort], [EPOEvents].[AutoID] from [EPOEvents] left join [HIP8_EventInfo] on [EPOEvents].[AutoID] = [HIP8_EventInfo].[EventID]

0 Kudos
1 Reply
pcktech
Level 9

Re: Retrieving Host IPS 8.0 Event Information from the database - how??

Given your title, I assume the Host IPS 8.0 Event Information data you're seeking are the details at the bottom of a threat log details you can view in ePO? That's the sort I was looking for, myself. Here's what I've found that might be related to what you're looking for:

Table: HIP8_IPSEventParameter

Fingerprint is [ParameterName] = 'Executable Fingerprint' with the [ParameterValue] giving the desired value.

File Name being the File Description? If so it'd be [ParameterName] = 'Executable Description' with the [ParameterValue] giving the desired value.

Path being the File Path? If so then [ParameterName] = 'local file' with the [ParameterValue] giving the desired value.

I'm a novice at SQL so I can't give you much advice on incorporating it, but from a quick google search it seems you can join three tables together though (for example: mysql - SQL join multiple tables - Stack Overflow)

0 Kudos