6 Replies Latest reply on Oct 20, 2011 10:52 AM by JoeBidgood

    Function to obtain the list of threat events?

      Hi,

       

      I am able to run https://epo/remote/core.executeQuery?queryId=307 to get a count of threat events in the last two weeks. But is there a function to get the detail of every event? I am looking to have a script to monitor ePO and obtain threat event related information in an automated way.

       

      Thank you.

       

      Jin.

       

      Message was edited by: jin on 10/19/11 2:22:27 PM CDT
        • 1. Re: Function to obtain the list of threat events?

          Anyone might know which database tables are used to store the threat events? I found couple tables with system related events only. Thank you.

          • 2. Re: Function to obtain the list of threat events?
            rackroyd

            You can request the DB schema with a support case, but it must have a valid business case behind it and not be achievable inside of ePO or the request will be refused.

            The relationship of events to detail to machines is not simple.

             

            You don't say which ePO version is in play but the query engine in ePO 4.5 and 4.6 is quite flexible. You should be able to buil up something close to what you need with experimentation.

             

            Rgds,

             

            Rob.

            • 3. Re: Function to obtain the list of threat events?

              At the moment, I am trying to understand the result of https://epo/remote/core.listTables?table=EPOEvents in ePO 4.6 as below. I can get this information from ePO web console. However, I want to be able to have a script to watch ePO for me by checking the content of the table and send out alerts when new event is added with several items in the event. Is this doable via ePO 4.6 API?

               

              One thing I noticed is that dbo.EPOEvents does not have the most recent events which worries me if I am looking at the right table.

               

              Thank you.

               

              Name: Threat Events

              Target: EPOEvents

              Type: target

              Database Type:

              Description: Retrieves information on Threat Events sent from managed systems.

              Columns:

                  Name                    Type           Select? Condition? GroupBy? Order? Number?

                  ----------------------- -------------- ------- ---------- -------- ------ -------

                  AutoID                  int            false   false      false    true   true  

                  AutoGUID                string         false   false      false    true   false 

                  ServerID                string         true    false      false    true   false 

                  ReceivedUTC             timestamp      true    true       true     true   false 

                  DetectedUTC             timestamp      true    true       true     true   false 

                  AgentGUID               string         true    false      false    true   false 

                  Analyzer                string_lookup  true    true       true     true   false 

                  AnalyzerName            string_lookup  true    true       true     true   false 

                  AnalyzerVersion         string_lookup  true    true       true     true   false 

                  AnalyzerHostName        string         true    true       true     true   false 

                  AnalyzerIPV4            ipv4           true    true       true     true   false 

                  AnalyzerIPV6            ipv6           true    true       true     true   false 

                  AnalyzerMAC             string         true    true       true     true   false 

                  AnalyzerDATVersion      string         true    true       true     true   false 

                  AnalyzerEngineVersion   string_lookup  true    true       true     true   false 

                  SourceHostName          string         true    true       true     true   false 

                  SourceIPV4              ipv4           true    true       true     true   false 

                  SourceIPV6              ipv6           true    true       true     true   false 

                  SourceMAC               string         true    true       true     true   false 

                  SourceUserName          string         true    true       true     true   false 

                  SourceProcessName       string         true    true       true     true   false 

                  SourceURL               string         true    true       true     true   false 

                  TargetHostName          string         true    true       true     true   false 

                  TargetIPV4              ipv4           true    true       true     true   false 

                  TargetIPV6              ipv6           true    true       true     true   false 

                  TargetMAC               string         true    true       true     true   false 

                  TargetUserName          string         true    true       true     true   false 

                  TargetPort              int            true    true       true     true   true  

                  TargetProtocol          string_lookup  true    true       true     true   false 

                  TargetProcessName       string         true    true       true     true   false 

                  TargetFileName          string         true    true       true     true   false 

                  ThreatCategory          threatcategory true    true       true     true   false 

                  ThreatEventID           eventIdInt     true    true       true     true   true  

                  ThreatSeverity          enum           true    true       true     true   false 

                  ThreatName              string_lookup  true    true       true     true   false 

                  ThreatType              string_enum    true    true       true     true   false 

                  ThreatActionTaken       string_enum    true    true       true     true   false 

                  ThreatHandled           boolean        true    true       true     true   false 

                  AnalyzerDetectionMethod string_lookup  true    true       true     true   false 

              Related Tables:

                  Name

                  ----------------------------

                  EPOLeafNode

                  EPOEvents_RelatedTargetsView

                  EPOEvents_RelatedSourcesView

                  EPOEventFilterDesc

                  GSDadditionaldata

                  HIP8_EventInfo

              Foreign Keys:

                  Source table Source Columns Destination table            Destination columns Allows inverse? One-to-one? Many-to-one?

                  ------------ -------------- ---------------------------- ------------------- --------------- ----------- ------------

                  EPOEvents    AgentGUID      EPOLeafNode                  AgentGUID           false           false       true       

                  EPOEvents    ThreatEventID  EPOEventFilterDesc           EventId             false           false       true       

                  EPOEvents    AutoID         EPOEvents_RelatedTargetsView EventID             false           false       true       

                  EPOEvents    AutoID         EPOEvents_RelatedSourcesView EventID             false           false       true       

              • 4. Re: Function to obtain the list of threat events?
                JoeBidgood

                I'm not sure why you would want to do this via the API - unless I misunderstand, what you're describing can be done with the exiting ePO automatic responses, which essentially do exactly what you're describing: watch the table and respond when a change occurs.)

                 

                HTH -

                 

                Joe

                • 5. Re: Function to obtain the list of threat events?

                  Haha, I really don't know this feature at all. My ultimate goal is to collect information from other systems like IPS, URL filtering, as well as event logs in the targeted system to simplify investigation when a threat is reported. Looks like auto response might meet the requirements. I will test and post my feedback here.

                   

                  Sorry for my ignorance and thank you for the information.

                  • 6. Re: Function to obtain the list of threat events?
                    JoeBidgood

                    No problem - just trying to save you from reinventing the wheel

                     

                    Regards -

                     

                    Joe