1 Reply Latest reply on Feb 5, 2009 9:05 AM by dbrigham

    ePO 4 Query For Specific Treat Detection

      OK -- I have worked my way up through ePO since v2, and I always managed to figure out how to use the build-in reports/queries and customize them as needed.

      Well, I just upgraded to 4.0 and I already revised some built-in queries to my own needs (like stats for the last week) for pie charts in the dashboard -- no big deal.

      But I need to scan the events (10 days of ePO 4.0 events and 1-year of ePO 3.6.1 events migrated over) for some specific threat names.

      I started from scratch -- Reporting, New Query, Events, Table -- added User Name to table, Filter -- Threat Name Equals "Name" and Event Generated Time is within the last 1 months.

      Click Run and it never finishes -- my console session gets logged off while it is still running (and as far as I know there may now be like five of these queries all stuck running -- anyone know how to check and kill them?).

      What did I do wrong? Doing the equivalent in the built-in reporting of v3.6.1 would have taken only a few minutes to run.

      As far as I can tell otherwise, ePO is working, agents are reporting (2200 managed systems), tasks are working, the dashboard reports work.

      Thanks for any suggestions!

      Dana Brigham
      DIS ISS Network Services
      Sr. Security Analyst / CISSP
      National Science Foundation
        • 1. RE: ePO 4 Query For Specific Treat Detection
          Well, I think that I figured part of it out -- I was using the criteria that the Threat Detected "contains" the name (or part of a name) and then the query takes forever.

          If I use "Equals" then the query runs as expected.

          But since I specify the timeframe for the check, that should still make even a "contains" query not scan the whole *30GB* of data in the database! Or do I have to put the time limit as the *first* criteria and then the threat name second?????

          Dana