Fields In Queries From Threat Tables Not Populated With Data
When I use a Dashboard monitor to display threats then click the displayed event or manually run a query to examine the details of a threat such as:
Host IPS: Desktop High Triggered Signatures - "Msgina registry key modified" (as an example), there will be some if not all results in the table for which certain fields are blank: System Name, MAC address, User Name, for instance.
So I can have say, 5 machines that have reported a vulnerability, and all 5 can be the same machine, and when I click that vulnerability to display the Threat Log tables, one entry is blank for the fields I've listed (there are other blank fields too but this is just representative);
OR, I can have multiple machines with the same vulnerability and all of them contain certain blank fields;
OR, I can have multiple machines with the same vulnerability - some entries have populated data fields, some entries contain fields that are blank.
When I click on any of the displayed line items, whether there are blank fields or not, the Threat Log Details table displays ALL the data.
Another symptom of this is that in the System Details view, there will be no Related Items bar at the bottom of the Host IPS 8.0 Even Information box and no "Go to related system" link - but ONLY for entries in the table with blank fields.
This started happening when I updated ePO from 22.214.171.124.
While I'm at it, I have a peristant blank entry in the table (monitor) "Threat Event Descriptions in the last 24hrs" on my Dashboard. It went incognito after the update; this blank trickles down to the System Tree view dashboard for individual machines too. I use the "Threat Event Descriptions in the last 24 hours" as one of my monitors.
Re: Fields In Queries From Threat Tables Not Populated With Data
Here's a similar symptom I've been able to not resolve, but to at least identify the cause for:
In my dashboard, I am posting Threat Events in the Past 24 Hours. Since updating ePO from 126.96.36.199 to 188.8.131.52 there is always one line of threat descriptions that is blank. I can click on it and display the table of events, but I had no idea what the "Threat" was.
I finally figured it out. It is Event ID: 18000. If I go to Menu>Server Settings>Event Filter to look up the code, its not there. That is why the line item in my monitor is blank. Event ID: 18000 is supposed to be "HIPS Intrusion Detected and Handled". It USED to show up before I updated my ePO. I see this on two separate ePO servers running on two separate domains.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.