cancel
Showing results for 
Search instead for 
Did you mean: 
sallen
Level 7
Report Inappropriate Content
Message 1 of 5

Which RSD Sensor Detected System?

Jump to solution

Is there a way to find out which rogue system sensor detected a particular system? It would help finding a suspect machine.


Thanks

Scott

1 Solution

Accepted Solutions
jking
Level 10
Report Inappropriate Content
Message 4 of 5

Re: Which RSD Sensor Detected System?

Jump to solution

If you don't include the EPOLeafNode table as one of the selects, no join will be performed and you'll just get a list of your sensors.  If you do include the EPOLeafNode table, but without a filter, then I would expect you to see every system that has a matching managed system.

Oh, that's another point I should make though ... if you're looking to find an unmanaged device, you might want to look at using RSDDetectedSystems.DnsName.  If the system isn't managed, there won't be an entry in the link table between the detected system and the EPOLeafNode table.

Jon

PS: An example:

https://server:8443/remote/core.executeQuery?target=RSDDetectedSystems&select=(select%20RSDSensors.S...Smiley Surprised

Change the contains filter to something that you'd expect to have a match.

4 Replies
jking
Level 10
Report Inappropriate Content
Message 2 of 5

Re: Which RSD Sensor Detected System?

Jump to solution

Try querying against the RSDSensors table.  The following query lists sensor name and system name:

https://<server>:8443/remote/core.executeQuery?target=RSDSensors&select=(select%20RSDSensors.SensorName%20EPOLeafNode.NodeName)&where=(contains%20EPOLeafNode.NodeName%20%22kl%22)&Smiley Surprisedutput=terse

OK:

Sensor Name                        System Name

---------------------------------- -----------

Rogue System Sensor - 10.84.132.87 KL51--51-ST

Note that if the same system was detected multiple times, I'd expect multiple lines in the output, since we're starting from the sensors and joining through to the leaf node table.

Regards,

Jon

sallen
Level 7
Report Inappropriate Content
Message 3 of 5

Re: Which RSD Sensor Detected System?

Jump to solution

If I take off the Where clause all I get is a list of my sensors.

Thanks

Scott

jking
Level 10
Report Inappropriate Content
Message 4 of 5

Re: Which RSD Sensor Detected System?

Jump to solution

If you don't include the EPOLeafNode table as one of the selects, no join will be performed and you'll just get a list of your sensors.  If you do include the EPOLeafNode table, but without a filter, then I would expect you to see every system that has a matching managed system.

Oh, that's another point I should make though ... if you're looking to find an unmanaged device, you might want to look at using RSDDetectedSystems.DnsName.  If the system isn't managed, there won't be an entry in the link table between the detected system and the EPOLeafNode table.

Jon

PS: An example:

https://server:8443/remote/core.executeQuery?target=RSDDetectedSystems&select=(select%20RSDSensors.S...Smiley Surprised

Change the contains filter to something that you'd expect to have a match.

sallen
Level 7
Report Inappropriate Content
Message 5 of 5

Re: Which RSD Sensor Detected System?

Jump to solution

I think this just might work. I replaced the "kl" in your query with a "." to list everything.


Thanks!

Scott