Showing results for 
Show  only  | Search instead for 
Did you mean: 

ePO 4 Query For Specific Treat Detection

OK -- I have worked my way up through ePO since v2, and I always managed to figure out how to use the build-in reports/queries and customize them as needed.

Well, I just upgraded to 4.0 and I already revised some built-in queries to my own needs (like stats for the last week) for pie charts in the dashboard -- no big deal.

But I need to scan the events (10 days of ePO 4.0 events and 1-year of ePO 3.6.1 events migrated over) for some specific threat names.

I started from scratch -- Reporting, New Query, Events, Table -- added User Name to table, Filter -- Threat Name Equals "Name" and Event Generated Time is within the last 1 months.

Click Run and it never finishes -- my console session gets logged off while it is still running (and as far as I know there may now be like five of these queries all stuck running -- anyone know how to check and kill them?).

What did I do wrong? Doing the equivalent in the built-in reporting of v3.6.1 would have taken only a few minutes to run.

As far as I can tell otherwise, ePO is working, agents are reporting (2200 managed systems), tasks are working, the dashboard reports work.

Thanks for any suggestions!

Dana Brigham
DIS ISS Network Services
Sr. Security Analyst / CISSP
National Science Foundation
1 Reply

RE: ePO 4 Query For Specific Treat Detection

Well, I think that I figured part of it out -- I was using the criteria that the Threat Detected "contains" the name (or part of a name) and then the query takes forever.

If I use "Equals" then the query runs as expected.

But since I specify the timeframe for the check, that should still make even a "contains" query not scan the whole *30GB* of data in the database! Or do I have to put the time limit as the *first* criteria and then the threat name second?????

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community