4 Replies Latest reply on May 12, 2015 8:16 AM by kmcin11

    DLP reporting query?

      we are using DLP version 2.2.6.0...

       

      I want to run a query/report that will return all entries etc. for a USB memory stick with a specific vendor id/product id or any other way that makes it unique.  can anyone please advise how this can be done?

       

      thanks

        • 1. Re: DLP reporting query?

          Did you ever get an answer to this?


          Thanks

          • 2. Re: DLP reporting query?
            xenon1

            If you have an ePO-Server connected you can build a Query over all these USB Memory Stick that are connected.

            If you are interested in the Syntax, i will retrieve it....

             

            FelderDetail
            Ergebnistyp:DLP-Ereignisse.
            Kriterien:

            (Ereigniskategorie Ist gleich Nicht-Verwaltungsereignis und Ziel Enthält "usb")

             

            Nachricht geändert durch xenon1 on 21.11.11 04:58:50 CST
            • 3. Re: DLP reporting query?

              If you have it I would very much appreciate it. We have been hitting our heads against the wall trying to figure out a way. Thank you.

              • 4. Re: DLP reporting query?
                kmcin11

                This is how I solved the issue. You can add to it by joining the table over and over again, to itself.

                 

                SELECT [ComputerName]

                , UserName

                ,[LocalTime]

                      ,[FocusDisplay]

                   ,EventTypeDisplayName

                   ,ETV1.[EventRowID]

                      ,ETV1.[EvidenceValue] AS VID

                ,ETV2.[EvidenceValue] As PID

                ,ETV3.[EvidenceValue] AS Volume_Label

                  FROM [ePO_HQS-IS-EPOL].[dbo].[DLP_EvidenceTypeAndValue] ETV1, [ePO_HQS-IS-EPOL].[dbo].[DLP_EvidenceTypeAndValue] ETV2, [ePO_HQS-IS-EPOL].[dbo].[DLP_EvidenceTypeAndValue] ETV3

                  INNER JOIN [ePO_HQS-IS-EPOL].[dbo].[DLP_EventView] EV ON  EV.EventRowID = ETV3.[EventRowID]

                  WHERE ETV1.[EventRowID] = ETV2.[EventRowID] AND ETV1.[EventRowID] = ETV3.[EventRowID]

                  AND ETV1.EvidenceType = 'Vendor_ID' AND ETV2.EvidenceType = 'Product_ID'  AND ETV3.EvidenceType =  'Volume_Label'

                  AND EventType = '10000'

                  ORDER BY EventRowID