7 Replies Latest reply: Feb 11, 2015 10:02 AM by tonyw RSS

    Reporting on Device Details

    dubious

      Hi,

       

      Running DLP Endpoint 9.3, with one Device Rule set to log all devices.  I would like to run reports on specific device details, like Vendor and Product ID but the DLP Events reporting columns seem limited.  I want to have a better understanding of how our users are using removable devices, specifically UFDs and personal devices (i.e. smart phones, cameras).

       

      The only way I can think of reporting on these details is to create individual Device Rules and include only specific Vendor IDs, and then have a catch all using exclusion to get the "others".

       

      Is there a better way of doing this?  I don't have need to have separate rules for all these device types.  I would rather do this via reports so I can go back historically...

       

      Thanks,

      Gabriel

        • 1. Re: Reporting on Device Details

          You can create a custom report to grab more details.  The below will create a report for all data.  You can tweak as you need.

           

          Queries & Reports

          New

          Others

          DLP Events. Next

          Table. Next

          Scroll down to "DLP Events Evidence Data" and select "Evidence Type" and "Evidence Value".  Next

           

          You can choose to filter or just run for everything now.  The Event Type for the device events will be "Device Plug" so I'd start there for filtering.

          Each line item will be a portion of the device information.  class/serial number/etc will all be on a different line but all tied to the same event id.

           

          Hope that helps!

          • 2. Re: Reporting on Device Details
            ahamm

            This is great so far and it allowed me to get the details, but now I wanted to see how a USB thumb drive travels through the organization, so I want to filter the USB Serial Number.

            Under the Evidence Type field you find nearly all types that you could filter on but just not on "USB Serial Number". I mean Vendor ID and Product ID is there. Why is that?

            • 3. Re: Reporting on Device Details

              I see the same result on my side.  I'd open a case with McAfee to have them review it.

               

              For now I exported my results as a csv to interact with.

              • 4. Re: Reporting on Device Details
                trevor.craze

                I know this is an old post but did you get any answer I am still looking for the same report, I have asked McAfee but cannot get an answer

                • 5. Re: Reporting on Device Details

                  I tested with 9.3.4 and confirmed the filter by USB Serial number option exists and confirmed it works.

                  • 6. Re: Reporting on Device Details
                    trevor.craze

                    Hi Tony,

                     

                    we are also running 9.3.4 I have been through all the queiries and reports and cannot see any referance to usb serial number, where are you seeing the filter by USB

                     

                    thanks

                     

                    Trev

                    • 7. Re: Reporting on Device Details

                      My first reply to the thread outlines how to set up the initial query. 

                       

                      Queries & Reports

                      New

                      Others

                      DLP Events. Next

                      Table. Next

                      Scroll down to "DLP Events Evidence Data" and select "Evidence Type" and "Evidence Value".  Next

                       

                      The filter is on "Evidence type" and choose "USB Serial Number" from the drop down.