We pull logs from the EPO database via the EPOEventsMT table. One thing I noticed is that any Exploit Protection entry lists the same ThreatID every time (ID 18054) with nothing distinguishing which specific one it refers to. In the agent gui I can clearly see the specifics via Analyzer rule ID and name.
I did find the table that houses the simple list of HIP8 signatures via KB82313 (and then removing the CVE where criteria). This has the details I need.
What I am struggling with however is what I can use to join these two, so that I can query the EPOEventsMT table and join in the specific signature details for the individual entries. Is anyone aware of how I can accomplish this? Or is there another table that has the info I'm looking for?
Solved! Go to Solution.
Hello @User76548052
Thanks for your response.
KB is retired because ePO 5.3.X is no more supported and it is end of life.
Thats the reason you are seeing the retired notification while opening the KB86265
Was my reply helpful?
If you find this post useful, please give it a Kudos! Also, please don't forget to select "Accept as a Solution" if this reply resolves your query!
Hello @User76548052
Thanks for you post.
You can create a Query adding that events in ePO and after that go to that Query- Actions - View SQL and you will get all the information about tables from the data is coming.
Also you can try referring the database schema :
KB91051
Was my reply helpful?
If you find this post useful, please give it a Kudos! Also, please don't forget to select "Accept as a Solution" if this reply resolves your query!
Thanks. I don't see the ability to create a query, I think I'm lacking in rights on the server.
I tried to follow the documentation to get the schema document, but the the KB it cites (KB86265) says the document is retired and no longer available.
Hello @User76548052
Thanks for your response.
KB is retired because ePO 5.3.X is no more supported and it is end of life.
Thats the reason you are seeing the retired notification while opening the KB86265
Was my reply helpful?
If you find this post useful, please give it a Kudos! Also, please don't forget to select "Accept as a Solution" if this reply resolves your query!
Thanks. I was able to get the schema now. Guess I'll need to reach out to support for the HIP8 schema next.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA