3 Replies Latest reply on Mar 10, 2016 4:09 PM by ckundapu

    HIPS - Managing HIPS events and information - Please share your thoughts

    ckundapu

      I have spoken to a couple of customers who have mentioned that querying and running HIPS related data/events is very cumbersome . Can you please share your experience around this ? What are the challenges you face and what would you like to see to make your job easier ?

       

      Thanks

      Endpoint product Management

        • 1. Re: HIPS - Managing HIPS events and information - Please share your thoughts
          wouterr

          Investigating allot of IPS events is indeed impossible using ePo. therefore we query ePo database directly.

           

          Why we are not using ePo:
          no possibility to filter in IPS event parameters (HIP8_IPSEventParameter table) other then the file parameter in queries or in the system tree view

          the "Host IPS 8.0" reporting module is just way too slow. Also here it's impossible to filter on IPS Event parameters, so you can only process one event at a time in stead of processing them in bulk.

           

          note: if you mention Mcafee SIEM: same problem exists here: impossible to filter on IPS Event parameters


          So with this arguments we switched from ePo to a simple SQL query which can query >100000 events in one second in a way we can investigate them properly

          With the SQL query we transpose the HIP8_IPSEventParameter table and then join it with the EPOEvents, HIP8_EventInfo, EPOLeafNode and EPOBranchNode tables

          this gives us a single view containing all IPS events on which we can easily query and filter for investigating these events.

          • 2. Re: HIPS - Managing HIPS events and information - Please share your thoughts
            c14us

            I'm pretty much love HIPS, but there are a lot of information you simply can not select in the queries. And often it's excatly those data you (I) want to get. I want to be allowed to query all information, that is available.

             

            Then ther is the much annoying New Data field not in being in clear text, but must be DeHex'ed

            ex: 720075006e0064006c006c00330032002e006500780065002000730074007200650061006d00630 069002c00530074007200650061006d0069006e00670044006500760069006300650053006500740 07500700020007b00390037006500620061006100630063002d0039003500620064002d003100310 0640030002d0061003300650061002d0030003000610030006300390032003200330031003900360 07d002c007b00350033003100370032003400380030002d0034003700390031002d0031003100440 030002d0041003500440036002d003200380044004200300034004300310030003000300030007d0 02c007b00350033003100370032003400380030002d0034003700390031002d00310031004400300 02d0041003500440036002d003200380044004200300034004300310030003000300030007d00000 0

            =

            rundll32.exe streamci,StreamingDeviceSetup {97ebaacc-95bd-11d0-a3ea-00a0c9223196},{53172480-4791-11D0-A5D6-28DB04C10000},{ 53172480-4791-11D0-A5D6-28DB04C10000}

            How do I even start making queries/Threats/custom rules when data also is unreadable. It's more than frustrating.

             

            That said. When working a lot with HIPS, you get a bit used to the flaws. And I love the versatility of the product.

            • 3. Re: HIPS - Managing HIPS events and information - Please share your thoughts
              ckundapu

              Thank you team . This is useful info to have . Appreciate your time and thoughts on this