I'd need to create a query of systems that had at least (equal number of more) a certain nuimber of threat event within an interval. For example hosts that reported at least 100 infection attemtp in a week (day, etc.). Hosts with lower number of events are not of interest (i.e. must not be displayed in the query)
I could not find a way to tailor a query to do this, maybe someon else could ?
Thank in advance for any clue:
Hi Attila Polinger ,
Instead of creating query you can configure Automatic response .
In Response builder
1) select Event Group ePO notification and event type as Threat .
2) select appropriate filter criteria as per your requirement such as " Threat Handled equals True"
4) In grouping :
Source Host name or Source IP address
as per your requirement .
Enter mail address to whom mail need to be sent and information about systems . which you can include using insert values drop down box.
thank you for your reply. Automatic Response would be good, however, among the clients we manage not everywhere is a SMTP server available in the respective ePO server.
Anyway thank you for the idea.
I did think maybe your answer would lie down the web.API route but the SQL support in that is not powerful enough for that type of query.
However if your familiar with XML/XSL scripting i'm sure it would be techinally possible to do the hard slog processing outside of ePO with a chained web.API and an XSL translation process.
Basically build a web.API query to extract all of the events in ePO and return the result as XML and then filter/count them with XSL.
Although this solution would be outside of ePO it would potentially just be a single action of just opening the inital query file in a browser.Message was edited by: Tristan on 23/07/13 16:44:51 IST
Perhaps you could still use Automatic Response, but instead of triggering an e-mail, you assign a special tag to the affected systems, which you can then use to build your query.Message was edited by: mapc on 8/13/13 9:21:27 AM CDT