1 Reply Latest reply on Oct 2, 2017 5:53 AM by chrisnlc

    XML: McAfee ePO Dashboard Issue

    spharris55

      Hello,

       

      I am working with a DLP tool (McAfee ePO DLP 9.4). I'm configuring the Dashboard, but it keeps giving me the wrong data. It should be giving me a daily update of the incidents that have been generated for that day, but it seems to be pulling all the incidents that were generated throughout history.

       

      Example: It should show incidents created on Monday 08/28/2017. Instead, I thinks it's giving me every incident that happened on a Monday.

       

      Here's the XML:

       

      <name>DLP: Number of Incidents per day (data in-use/in-motion)</name>

       

      <description>This report summarizes number of incidents (data in-use/in-motion) per day</description>

       

      <target>UDLP_Incidents</target>

       

      <table-uri>query:table?orion.table.columns=UDLP_Incidents.IncidentId

       

      %3AUDLP_Incidents.IncidentType%3AUDLP_Incidents.ViolationLocalTime

       

      %3AUDLP_Incidents.ViolationUTCTime%3AUDLP_Incidents.Severity%3AUDLP_Incidents.Re viewer

       

      %3AUDLP_Incidents.EvidenceCount%3AUDLP_Incidents.TotalMatchCount

       

      %3AUDLP_Incidents.TotalContentSize%3AUDLP_Incidents.ConnectivityState

       

      %3AUDLP_Incidents.ActualAction&orion.table.order=az&orion.table.order.by=UDLP_In cidents.IncidentId%3AUDLP_Incidents.IncidentType%3AUDLP_Incidents.ViolationLocal Time

       

      %3AUDLP_Incidents.ViolationUTCTime%3AUDLP_Incidents.Severity%3AUDLP_Incidents.Re viewer

       

      %3AUDLP_Incidents.EvidenceCount%3AUDLP_Incidents.TotalMatchCount

       

      %3AUDLP_Incidents.TotalContentSize%3AUDLP_Incidents.ConnectivityState

       

      %3AUDLP_Incidents.ActualAction</table-uri>

       

      <condition-uri>query:condition?orion.requied.sexp=%28+where+%28+newerThan

       

      +UDLP_Incidents.LastUpdateTimestamp+2592000000++%29+%29&orion.condition.sexp=</c ondition-uri>

       

      <summary-uri>query:summary?

       

      orion.sum.query=true&orion.query.type=line.line&orion.sum.group.by=UDLP_Incident s.LastUpdateTimestamp&orion.sum.time.cols=true&orion.sum.time.unit=day&orion.sum .order=oldest&orion.sum.aggregation=count&orion.sum.aggregation.showTotal=false< /summary-

       

      I'm hoping someone can look at the XML and give me some insight as to what is going on?

       

      Thanks!

        • 1. Re: XML: McAfee ePO Dashboard Issue
          chrisnlc

          If I remember correctly the condition "UDLP_Incidents.LastUpdateTimestamp+2592000000" is 30 days in milliseconds. So you'll get 30 days of events.

          So if you're doing a custom dashboard based on a query then you can modify the query for 'last day' or 24-hours to get the right data.

           

          _Chris.