2 Replies Latest reply on May 31, 2011 4:29 PM by joeleisenlipz

    Need help with RSD query

      I need help with queries for rogue devices.



      I want to create report for newly discovered rogue systems.

      What time I should query against 1st detection time or last detection time?



      I need to create query to report all newly discovered devices with break down by actions for let say a week.

      Total number of detections:
      Total number of devices whitelisted by auto actions
      Total number of device manually whitelisted
      Total number of devices that ramain in the console.



      TIA, Leon

        • 1. Re: Need help with RSD query



          For the 1st report you can build the following query which will show you all newly detected systems within the last day.   You'll leverage the "Is New Detection" filter. This can be modified to suite you needs. While this was built with ePO 4.6, you should be able to create the same query in ePO 4.5.


          5-23-2011 9-13-51 AM.png

          5-23-2011 9-15-14 AM.png

          5-23-2011 9-15-51 AM.png

          5-23-2011 9-16-56 AM.png

          • 2. Re: Need help with RSD query

            For the second part of your request, here are a few thoughts:


            "Total number of devices whitelisted by auto actions"...

            I believe these Automatic Responses are logged within the Server Tasks; however, you will need to be care querying these log entries, because a single response doesn't always equal a single detection. If your rules are triggered once for every event (with no throttling/aggreation) then I think you can get what you are after.


            "Total number of device manually whitelisted"...

            This I believe you can get by querying the User Audit logs, but you'll have a similar problem. Unless the users individually select and add systems to the Exceptions list(s), you won't have a 1-to-1 correlation.


            "Total number of devices that ramain in the console"...

            This should be equal to all detected devices that are not managed and not in an exception list. This value should be displayed in the 'Detected Systems' interface, within the 'Overall System Status' block, next to the heading "Rogue".


            --Joel E.