cancel
Showing results for 
Search instead for 
Did you mean: 
sol
Level 9
Report Inappropriate Content
Message 1 of 7

Is there a way to pull the client AccessProtection log nto ePO to create reports or alerts on them?

I am wanting to get alerts on devices that are producing consistent potential risk activity. I don't see a built in report or where this information is being pulled into ePO via the agent. Is there a way to do this?

6 Replies

Re: Is there a way to pull the client AccessProtection log nto ePO to create reports or alerts on them?

Hi sol, access protection logs are already pushed to epo by default and they appear under the thread events log

What you need is to customize a query so you can decide which acess protection events you want to appear in it

sol
Level 9
Report Inappropriate Content
Message 3 of 7

Re: Is there a way to pull the client AccessProtection log nto ePO to create reports or alerts on them?

These are the types of logs i am looking for and i dont see them in EPO. I see them on the devices in the desktop log files. I see actual threat detections but not even activity that i can set rules on.

I want to know what devices are trying to spoof or run files from the temp folders. I want to be able to set an alert that says if XXXXX device is trying to send from the TEMP folder more than 5 times in 1 minute... alert me. can I do this

4/15/2015            9:37:17
AM         Would be blocked by Access
Protection rule  (rule is currently not enforced)     ST_CLOUD\username    C:\Windows\explorer.exe     \Device\Mup\ hostname
\c$\Users\username2\AppData\Local\Temp\AcDeltree.exe    Common Standard ProtectionSmiley Tonguerevent common programs from running  files from the Temp folder    Action  blocked : Execute

4/15/2015            10:32:33
AM       Would be blocked by Access
Protection rule  (rule is currently not  enforced)    ST_CLOUD\username    C:\Windows\explorer.exe   \Device\Mup\ hostname \c$\Windows\explorer.exe    Anti-virus   Standard ProtectionSmiley Tonguerevent Windows Process spoofing    Action blocked : Read

 

4/16/2015            9:19:41
AM     Would be blocked by Access   Protection rule  (rule is currently not   enforced)     ST_CLOUD\username3 C:\Windows\explorer.exe  \Device\Mup\ hostname 2\c$\Windows\explorer.exe   Anti-virus Standard ProtectionSmiley Tonguerevent Windows Process spoofing   Action  blocked : Read

 

4/16/2015            9:54:30AM    Would be blocked by Access  Protection rule  (rule is currently not enforced)                 ST_CLOUD\username3 C:\Windows\explorer.exe    \Device\Mup\ hostname  \c$\Users\cpt111\AppData\Local\Temp\supoptsetup.exe   Common Standard ProtectionSmiley Tonguerevent common programs from
running files from the Temp folder   Action  blocked : Execute

Re: Re: Is there a way to pull the client AccessProtection log nto ePO to create reports or alerts on them?

Have a look at the attached query, it should reflect access protection events stored in ePO



sol
Level 9
Report Inappropriate Content
Message 5 of 7

Re: Re: Is there a way to pull the client AccessProtection log nto ePO to create reports or alerts on them?

Lazlo,  thank you so much for your assistance. This document was an empty page.

sol
Level 9
Report Inappropriate Content
Message 6 of 7

Re: Re: Is there a way to pull the client AccessProtection log nto ePO to create reports or alerts on them?

After running the report I realized it shows me the known deteted threats and activity taken. I was looking more for a report/query where devices that are logging activity (OnAccess Protetion log) such as blocks, writes, attempts to disable and there are no threats detected. To me this acitivty could be a sign that something on the device is active but not being deteted.

I would like to check these devices out. The Threat event log only displays KNOWN threats on the device and what action was taken on them

dcobes
Level 9
Report Inappropriate Content
Message 7 of 7

Re: Is there a way to pull the client AccessProtection log nto ePO to create reports or alerts on them?

You need to first verify if you have the Access Protection rule logging via Policy Catalog > Access Protection Policies

Example

Forums-AccessProtection001.png

Forums-AccessProtection002.png

Forums-AccessProtection003.png

Forums-AccessProtection004.png

-d