cancel
Showing results for 
Search instead for 
Did you mean: 
Jmac24
Level 10
Report Inappropriate Content
Message 1 of 20

Using tags for escalation

Trying to automate escalation of systems that have out of date or missing endpoint products using tagging, queries against the systems with those tags and then a daily server task to run the queries to clear the tag if product is now up to date or update with a new tag.

Giving a small example of what is a pretty complex set of tags and queries:

I have a tag for workstations with missing or out of date ATP. NC_WS_ATP. Simple enough. If the version is less than 10.6.1 or equals 0.0 and it is a workstation it gets auto tagged. In the afternoon each day a task will run to check any system with that tag and if the system was online that day checking the version. If it is 10.6.1 or higher, tag is cleared. If not, a tag to escalate is applied and the previous tag is cleared. NC_WS_ATP2. A Client Task is set to run against any system with that new tag. If it is up to date, that one is cleared, if not, a new tag is applied NC_WS_ATP3 and the previous cleared, and then a final query against that one will run which will send a report to the appropriate group to run remediation steps.

The biggest problem I am running into is there seems to be no way to fully automate this, because there is no ability to exclude a system from being tagged if it has a particular tag.

So, in this case, I wouldn't want the NC_WS_ATP tag to apply to the systems with the NC_WS_ATP2 or NC_WS_ATP3 tags since it's already moving through the process. That said, I don't want the NC_WS_ATP tagging to have to be a manual process, because that defeats the purpose of trying to automate this. 

The whole point of this is to make sure that all baseline products are on all of our systems and that we run remediation steps automatically before sending something to different groups to run through manual steps. 

If anyone is doing something similar, or has a solution I am missing, let me know.

 

19 Replies
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 2 of 20

Re: Using tags for escalation

You would have to use your queries to also say, does not have tag xxxx or something similar. It can be done, it just takes a lot of working out the different scenarios and running different queries.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Jmac24
Level 10
Report Inappropriate Content
Message 3 of 20

Re: Using tags for escalation

I'm in the middle of working through it. I have 36 queries just for our corporate workstations, and will have to do more for our different types of servers and retail endpoints. It's a lot of work up front but once it's in place it will be nice.

Where being able to exclude a tag if another tag exists would be very helpful is with auto tagging based on criteria at each check-in. Right now I can't do that because it would keep re-tagging the system with the initial non compliant tag even if it has the NC2, NC3, NC4 tag applied. So for now I have to make it a manual initial step with the scheduled server task. Being able to do that would make it truly hands off, other than modifying the criteria once we push new versions out.

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 4 of 20

Re: Using tags for escalation

Yes, it would be nice to have an additional criteria available for tagging where it includes the option of if another tag exists or not. You can submit that as an Idea per kb60021, but in the meantime, your server tasks seem to be your best automated option.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 5 of 20

Re: Using tags for escalation

I don't know what version of epo you are on, but epo 5.10 has additional tagging properties based on installed product versions. You might want to look into that.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Jmac24
Level 10
Report Inappropriate Content
Message 6 of 20

Re: Using tags for escalation

We are on 5.10. That's what I was hoping to use. Here's the problem though:

System checks in with out of date ENS, lets say platform less than 10.6.1. I tag it as NC_ENS. I can now take action on it. At that point, I'm using that tag in a client task to install that version on systems with that tag, then a query either at the end of the day or next day to re-check systems with that tag. If it's been updated, clear the tag, no further action. If it's not up to date I want to clear the tag, then tag NC_ENS2, then take action on only systems with that tag. The problem with that is that if I'm tagging based on criteria at every check in, then it's going to re-tag it with the original tag, because I can't exclude it.

It's awesome for initial tagging based on the installed versions, just limits us in our ability to run a sort of triage/escalation process in an automated way. Like I said, if I could exclude based on a different tag already existing, it would be perfect. I can work around it, it's just that one thing that would make it the perfect best case process for what I'm trying to do. This and the ability to build queries with "or" instead of "and" in between sets of criteria.

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 7 of 20

Re: Using tags for escalation

Yes, that would be good to submit as an idea.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Jmac24
Level 10
Report Inappropriate Content
Message 8 of 20

Re: Using tags for escalation

That one is already in there, I actually put one in years ago in the old system for that.

 

https://community.mcafee.com/t5/Enterprise-Customer-Product/rePO-support-quot-or-quot-in-queries/idc...

Jmac24
Level 10
Report Inappropriate Content
Message 9 of 20

Re: Using tags for escalation

I'm building this out a little further and now running into a different issue, but it's related to this topic.
I have the server task running the queries and taking action on the systems that come back from those results.


Same idea as before, Query checks systems tagged NC_WS_DLP, if DLP is not up to date, it applies tag NC_WS_DLP2. That part works fine. I added a second sub-action to clear the NC_WS_DLP tag. The second does not do anything. I have several of them that do the same, the tagging part works, but not the clearing. Screenshots attached below.

 

ST_DLP.PNG

 

ST_DLP2.jpg

I think the sub action should apply to the systems that the Apply Tag action was successful on, but as you can see, it does not. I could get around it, but that would require a lot more logic and more queries, but I'm already 60 some queries deep and counting for this, and this would make me have to add a few more for each component which would make the number of queries needed to get exponentially larger. Does this seem like a bug? I know I've used both server tasks and auto responses to run multiple actions and sub-actions without issue before. Not these particular actions though.

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 10 of 20

Re: Using tags for escalation

Are you positive that the systems it pulls up in that query have the tag you are trying to clear? What happens if you put the clear tag action first before the apply tag? Just before you run the server task, run that query and validate that the systems do have that tag applied that you want cleared.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

More McAfee Tools to Help You

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community