3 Replies Latest reply on Mar 31, 2017 10:26 AM by chrisnlc

    Generate VID & PID report form ePO

    scsslm

      Hello All,

      I want to generate the following DLP report from ePO 5.1.1. Could you please advise.

       

      1. Get the VID and PID details
      2. When the VID and PID added in DLP (VID-PID) exception list.
      3. Only get the Blank VID & PID list

       

      NOTE: I suspected the some particular brand (like Transend, HP etc., ) USB device can have Same VID & PID if yes how to manage (Block/Unblock) these kind of devices.Blank VID-PID.PNG

       

      Regards,

      Sekar

        • 1. Re: Generate VID & PID report form ePO
          chrisnlc

          It's possible to get some of this. Assuming you are using 9.4 and above:

          1) Duplicate the query/report 'DLP: Number of Incidents per rule set' and edit. (I use this report but you can use this or other incident type reports)

          2) In the Columns section add USB Vendor ID and USB Product ID.

          3) In the Filter section add 'Value is not Blank' = USB Vendor ID.

          4) Save

          5) Do the same thing again but this time:

          6) In the Filter section use 'Value is Blank' = USB Vendor ID.

          7) Save as a different name.

           

          Now you have some of what you need:

          1. Get the VID and PID details - answered in lines 1 to 4
          2. When the VID and PID added in DLP (VID-PID) exception list. - Not possible AFAIK
          3. Only get the Blank VID & PID list - answered in lines 5 to 7

           

          If the USB stick is rebranded but retains the same PID/VID then it would take some analysis to differentiate them. Perhaps the rebrander may change volume information and always start volume label with 'xyz123..' or something but that would be highly unreliable.

           

          hope that all helps

          • 2. Re: Generate VID & PID report form ePO
            scsslm

            Hi Chris,

             

            Thank you for your support.

             

            I am using DLP version 9.3.425.4.

             

            And I have selected the following options in Filter in my report.

             

            Evidence Type "Equals to Vendor ID" and Evidence Value "Value is blank"

             

            but it's not getting any results.

             

            Please advise.

             

            Thanks & Regards,

            Sekar

            • 3. Re: Generate VID & PID report form ePO
              chrisnlc

              For 9.3 it's a little trickier

               

              1) In queries and reports select New

              2) choose Others then DLP 9.3 Events and Next

              3) Choose list/Table and Next

              4) Choose Evidence Type and Evidence Value from column selector under 'DLP 9.3 Events Evidence Data'

              5) Also make sure Event ID, Computer Name, Rules fields are there at a minimum. then Next

              6) If you have millions of events then filter on (Occurred UTC) in the filter section.

              7) Run.

              8) After some processing you'll see the results. Select Action then Export Table

              9) Choose CSV then 'Open or save from link'

              10) When generated save the CSV somewhere.

               

              Now you will have the info you need but it's how you process it. Personally I imported to Excel and used filtering on Evidence Type = Vendor ID and Product ID then made an Pivotable. It takes some work but you can get some useful data from this. I also used R/Rstudio if you happen to know that - then spin the data in many ways.

               

              Maybe I should do a Youtube about it!