1 Reply Latest reply on Apr 3, 2015 8:45 AM by pcktech

    Retrieving Host IPS 8.0 Event Information from the database - how??

    dhalliday

      I have a team of folks that is interested in seeing the HIPS event information that comes along with the threat data related to the following fields:

       

      Target File Name

      Target Fingerprint

      Target Path

       

      Does anyone know what the table references are for these fields and how we can add them to the query below?

       

      select [EPOEvents].[DetectedUTC], [EPOEvents].[TargetHostName], [EPOEvents].[ThreatName], [EPOEvents].[AnalyzerIPV4], [EPOEvents].[SourceIPV4], [EPOEvents].[SourceURL], [HIP8_EventInfo].[Direction], [HIP8_EventInfo].[AppSigner], [HIP8_EventInfo].[AppDesc], [HIP8_EventInfo].[AppHash], [HIP8_EventInfo].[Hidden], [HIP8_EventInfo].[LocalIPAddress], [HIP8_EventInfo].[LocalPort], [HIP8_EventInfo].[Protocol], [HIP8_EventInfo].[Read], [HIP8_EventInfo].[RemotePort], [EPOEvents].[AutoID] from [EPOEvents] left join [HIP8_EventInfo] on [EPOEvents].[AutoID] = [HIP8_EventInfo].[EventID]

        • 1. Re: Retrieving Host IPS 8.0 Event Information from the database - how??
          pcktech

          Given your title, I assume the Host IPS 8.0 Event Information data you're seeking are the details at the bottom of a threat log details you can view in ePO? That's the sort I was looking for, myself. Here's what I've found that might be related to what you're looking for:

           

          Table: HIP8_IPSEventParameter

           

          Fingerprint is [ParameterName] = 'Executable Fingerprint' with the [ParameterValue] giving the desired value.

          File Name being the File Description? If so it'd be [ParameterName] = 'Executable Description' with the [ParameterValue] giving the desired value.

          Path being the File Path? If so then [ParameterName] = 'local file' with the [ParameterValue] giving the desired value.

           

          I'm a novice at SQL so I can't give you much advice on incorporating it, but from a quick google search it seems you can join three tables together though (for example: mysql - SQL join multiple tables - Stack Overflow)