cancel
Showing results for 
Search instead for 
Did you mean: 

ePO 4.0 EPOEvents Table

Hi Team,

We had recently upgraded ePO 3.5 to 4.0. On ePO 3.5 we had some reports scheduled based on Events table and in ePO 4.0 this table is now EPOEvents.

While running SQL queries on EPOEvents we identified that column "AnalyzerIPV4" is not showing IP address "10.10.23.57" but "-1971294919" this value.

In ePO 3.5 we had HostIPAddress column which used to give us correct IP Address.

Does "AnalyzerIPV4" column should show IP Address? Or this behavior is correct.

SQL Query is:

SELECT AutoID, ReceivedUTC, Analyzer, AnalyzerVersion, AnalyzerHostName, AnalyzerIPV4, TargetUserName, ThreatName, ThreatEventID, TargetFileName, AnalyzerEngineVersion, AnalyzerDATVersion, DetectedUTC, ThreatActionTaken, ThreatSeverity, ThreatType, ThreatName, Analyzer, cast(AgentGUID as varchar(50)), ServerID, ReceivedUTC FROM EPOEvents

Thanks and Regards
Satya
1 Reply
tb_ng
Level 9
Report Inappropriate Content
Message 2 of 2

Re: ePO 4.0 EPOEvents Table

See KB66342.  However, that's only a partial answer--it doesn't work on all IP addresses due to the way the data is stored (bits are truncated from either end to save space -- VarDecimal maybe?)  Has to be a forumla somewhere to convert it to a decimal.  From there you can use Excel to convert it.  Something like this (where the integer for the IP is in C2):

=IF(C2<>"", CONCATENATE(INT(C2/256^3), ".", INT(MOD(C2, (256^3))/(256^2)), ".", INT(MOD(MOD(C2, 256^3), 256^2)/256), ".", MOD(MOD(MOD(C2, 256^3), 256^2), 256)), "")

Thanks.