HBSS Symposium Case Studies of Using HBSS to Increase Your
Security Posture
McAfee Symposium
Case Study Using McAfee:By Kyle M.
[email protected] Abu Dhabi,
Uaehttps://ae.linkedin.com/in/kyle-taylor-7325421aIncreasing Your
Security PostureVia McAfee EPO
UNCLASSIFIEDUNCLASSIFIED
UNCLASSIFIEDUNCLASSIFIEDThis is a bit detailed so please stop me
if you have any questions.Slides edited by Susan Poston
1UNCLASS//FOUO
What We Have DoneDLP Initiatives:Block Bluetooth and USB
PrintersBlock Wireless NICs and SD CardsTrack File Names copied to
External MediaDirty Word search on File copied to External
MediaApplication Whitelisting:Using Subject Distinguished Name to
Simplify ExemptionsFuture Projects:McAfee Threat Activity TracerEpo
Deep Command Discovery and Reporting (Free Tool)McAfee System
Information ReporterIA/CND Dashboards
UNCLASSIFIEDUNCLASSIFIEDMcAfee Threat Activity Tracer -
https://community.mcafee.com/docs/DOC-4231ePO Deep Command
Discovery and Reporting : -Product Guide:
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25071/en_US/edc_210_pg_0-00_en-us.pdf-McAfee
Community:
https://community.mcafee.com/blogs/deepakkolingivadi/2014/03/20/deep-command-quick-start-guide-updated-for-21McAfee
System Information Reporter:-KB:
https://kc.mcafee.com/corporate/index?page=content&id=KB67830-User
Guide:
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/22000/PD22755/en_US/SIR_User_guide.pdf
UNCLASS//FOUO2
DLP- Blocking Wireless, Bluetooth, SD Cards, and USB
PrintersWireless Block by Device Definition and Plug and Play
Device RuleDevice Class: Network AdaptersDevice Name: Allow Partial
Match
Bluetooth Block by Plug and Play Rule Combine with additional
Firewire block Bus Type: BlueToothSD Cards Block by Plug and Play
Rule allows you to make them Read-OnlyCompatible ID
USB Printers Use Plug and Play RuleUse Device Definition with
USB Class: 07hPrevent executables from executing from removable
media using the Removable Storage File Access rule it will block
.exe, .msi, .bat, .zipCreate a Windows Portable Device Rule to look
for Device Name containing MTP to catch iPods, Phonesetc., mounting
as an MTP device vs. Removable Storage
WirelessWiMaxWiFi802.11Wlan
RIMMPTSK\Disk_SD SD\CLASS_STORAGE SCSI\Disk
These mount as Devices vs. mounting as Removable StorageKB73171
MTP Devices we mainly see MTP devices mounting as Windows Portable
DevicesKB77769 Managing Apple ProductsKB81602 Possibility to allow
you to record files being burned to CD/DVD Not tested.
UNCLASSIFIEDUNCLASSIFIEDQuick Poll of the audience.this is
really going to increase the security posture of your network and
find gaps in you baselining processes. Unless DLP is added to your
computer image, then you should also deploy GPOs out to block USB
and SD storage right off the bat until DLP can be pushed to these
computers.3UNCLASS//FOUO
DLP Blocking Wireless NICs
UNCLASSIFIEDUNCLASSIFIEDDevice Class as Network Cards and Then
fill in the following fields in the Device Name
fieldUNCLASS//FOUO4
Track files copied to external media
In the DLP Console, turn on Hit Highlighting
Set up a Removable Media Protection Rule call it something like,
Track Files Copied to Removable Media
Assign it all your exempted users but Monitor Only
NOTE: It does not track files burned to CD/DVD
However, you can track the amount of data burned per hour, day,
month, etc.
DLP Tracking File Names
UNCLASSIFIEDUNCLASSIFIEDQuick poll of the audience -.tracks the
file names being copied off to external media.and, if you set up
the Evidence Folder, you will have a local or networked repository
of the files that were copied to USB and SD.5UNCLASS//FOUO
Tracking File Names
UNCLASSIFIEDUNCLASSIFIEDGeneric Removable Protection Ruleno
categories needed.UNCLASS//FOUO6
DLP Dashboard Amount Transferred
UNCLASSIFIEDUNCLASSIFIEDYou can generate this graph thenshowing
amount transferred per user per dayweekmonthThere is an opord or
taskord out there requiring monitoring of data
transfers.UNCLASS//FOUO7
Checks Files being copied to Removable Media and searches within
them for text patterns
Only works on files being copied OFF to removable media
Create a new Text Pattern definition for NOFORN,
FVEY,SECRET//etc. called Classification Markings and then a
Category called Category Classified Markings for matches to go into
as well as a Tag named similarly I knowa ton of steps.
Apply this text pattern definition to the Content Tagging Rule
called Possible Classified Document and tell it to put matches into
the Category Category Classified Markings
Create a Removable Storage Protection Rule "looking for the
category Category Classified Markings and apply it to all USB and
SD exempted users.DLP Dirty Word Search
UNCLASSIFIEDUNCLASSIFIEDQuick Poll of the Audiencenote, this is
a long drawn out processand confusing.8UNCLASS//FOUO
Dirty Word Search Text Match
UNCLASSIFIEDUNCLASSIFIEDCreate a new text Pattern containing
classification marking and then a new Content Category for these to
go intoUNCLASS//FOUO9
Dirty Word Search Content Classification Rule
UNCLASSIFIEDUNCLASSIFIEDCreate a new Content Classification Rule
and point it to the Text Pattern you created for Classification
Markingsthere are others here like SSNs, IP addresses, credit card
numbers..etcUNCLASS//FOUO10
Dirty Word Search Assigned Content
UNCLASSIFIEDUNCLASSIFIEDFinally create a removable storage
protection rule and use the content classification rule you
created
UNCLASS//FOUO11
Enable Signatures 6010 & 6011
Use Subject Distinguished Name to reduce overall total events We
reduced events from 45,000 to 1,000 per day only using around 50
exceptions
Add all the Signatures into a Single ExceptionAdobe, Microsoft
(about 10 different sigs), VMWare, Symantec, etc.Example: C=US,
S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, CN=MICROSOFT
WINDOWS
The Layered/Effective Policy approach applied at each level
using this hierarchy is recommended. [Assign a policy for each
level with exceptions in each as required.]
Learn to use ClientControl.exe for additional assistance and
troubleshootingi.e. clientcontrol.exe /exportconfig
c:\Windows\HIPSEXPORT.txt 5Clientcontrol.exe /log 0 4 creates files
in C:\Users\All Users\Mcafee\Host Intrusion Prevention folder
Making the starter policies available to everyone. The testing
is time consuming as it takes an inordinate amount of time for the
propagation of new policies.
Application Whitelisting
UNCLASSIFIEDUNCLASSIFIEDNOTE: I have not been able to find an
entity to throw zero-days or malware at these, so they are
untested, but its a lot faster and easier to implement than the NSA
Whitelisting Tool and we are not exempting entire folders.
Quick poll of the audience this took me about 2 months to tune,
and a lot of it was spent waiting for the policies to propagate out
and then troubleshooting and tuning.
This was done on a very small network of just 200 computers, but
these policies should give you about a 98% decrease off of the
initial configuration. The big bonus here is that these should stop
zero-days in their tracks and enforce a fairly strict baseline on
your servers.and its very easy to expand out down to the
desktop.These starter policies should get you about 95% of the way
there.
12UNCLASS//FOUO
Subject Distinguished Name
UNCLASSIFIEDUNCLASSIFIED
Application Whitelisting
UNCLASSIFIEDUNCLASSIFIEDMcAfee Threat Activity Tracer records
the remote IP that triggered any events using HIPS and VSEIn the
McAfee Tool Exchange
McAfee System Information ReporterFree from McAfee Platinum
SupportChecks for Files and enforces a versionChecks and enforces
registry keysEnumerates Software, Hotfixes, Services,
SharesPossible CMI Mitigation
EPO Deep Command Discovery and Reporting ToolFree from McAfee
Plugin and ExtensionHardware Enumeration and Serial Number
TrackingNice addition for Inventory or Logistics Personnel, also
Tech Refreshes
Also Wireless NIC status, BIOS version, System Model and
Manufacturer, Last RebootetcAlternatively, use the SystemInfo Tool
from McAfee Tool Exchange to write the serial number to one of the
Custom Properties Fields
Application Whitelisting
UNCLASSIFIEDUNCLASSIFIEDThese are tools I am hoping to implement
in my AOR when I can get some facetime.if anyone has done any of
these, please let me knowI want to know if they are easy to set
up.and, more importantly, are they worth it? I am hoping we can
expand HBSS functionality so that it becomes a lot more than just a
security tool, but rather a force multiplier for Network Admins,
Change Management, and Sysops.15UNCLASS//FOUO
McAfee Threat Activity Tracer
https://community.mcafee.com/docs/DOC-4231
UNCLASSIFIEDUNCLASSIFIEDMcAfee Threat Activity Tracer -
https://community.mcafee.com/docs/DOC-4231
UNCLASS//FOUO16
Checks computers for specific files or registry keys and
enforces versions
Checks for Shares and USB Devices
Installed Hotfixes, Software, patches, servicesSystem
Information Reporter
UNCLASSIFIEDUNCLASSIFIEDPossible to mitigate CMIs using
this?UNCLASS//FOUO17
SystemInfo Tool or ePO Deep Command
UNCLASSIFIEDUNCLASSIFIEDDashboards and Automated Emails are good
ways to keep Incident Response informed
These do require training and a lot of policy tuning to make
them usable to IA/CND
Track HIPS, VSE, DLP, maybe ABM and Rogues
HIPS and VSE is where you are most likely to catch zero-days or
APTs
Over 70% of our Remedy tickets for IA/CND come from McAfee
Dashboards for Command and IA/CND
UNCLASSIFIEDUNCLASSIFIEDDisplays Malware Names, Trends, and Top
Violators
Malware Dashboard For IA/CND
UNCLASSIFIEDUNCLASSIFIEDBreaks Down Systems on the Network by
OS, Per Site, and Rogues
Asset Awareness Dashboard
UNCLASSIFIEDUNCLASSIFIEDPrompts the most questions, requires a
lot of tuning, and can be NoisyHIPS Dashboard
[email protected]
Questions
UNCLASSIFIEDUNCLASSIFIEDDashboards and PoliciesNote: I will try
to make the policies and dashboards available through the hosts of
this symposium.
McAfee Threat Activity Tracer -
https://community.mcafee.com/docs/DOC-4231
ePO Deep Command Discovery and Reporting : -Product Guide:
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25071/en_US/edc_210_pg_0-00_en-us.pdf-McAfee
Community:
https://community.mcafee.com/blogs/deepakkolingivadi/2014/03/20/deep-command-quick-start-guide-updated-for-21
McAfee System Information Reporter:-KB:
https://kc.mcafee.com/corporate/index?page=content&id=KB67830-User
Guide:
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/22000/PD22755/en_US/SIR_User_guide.pdf
UNCLASSIFIEDUNCLASSIFIED
HBSS
Dashboards/Incident_Handling_and_EXEC_Reporting_-_Detailed_Incident_Handling_Information-Dashboard.xml
Incident Handling and EXEC Reporting - Detailed Incident Handling
Information false 0 1 1 0 0 /console/createDashboardContainer.do 60
MIN dashboardElement:config?database= false EMAIL - CND - Detailed
AV Events for the Last Week Removed Common and Mcafee Protection
detections EPOEvents
query:table?orion.table.columns=EPOEvents.DetectedUTC%3AEPOEvents.TargetHostName%3AEPOEvents.ThreatName%3AEPOEvents.AnalyzerDATVersion%3AEPOEvents.ThreatCategory%3AEPOEvents.ThreatHandled%3AEPOEvents.ThreatActionTaken%3AEPOEvents.ThreatType&orion.table.order=az&orion.table.order.by=EPOEvents.DetectedUTC%3AEPOEvents.TargetHostName%3AEPOEvents.ThreatName%3AEPOEvents.AnalyzerDATVersion%3AEPOEvents.ThreatCategory%3AEPOEvents.ThreatHandled%3AEPOEvents.ThreatActionTaken%3AEPOEvents.ThreatType
query:condition?orion.condition.sexp=%28+where+%28+and+%28+newerThan+EPOEvents.ReceivedUTC+604800000++%29+%28+threatcategory_not_belongs+EPOEvents.ThreatCategory+%22ops%22+%29+%28+contains+EPOEvents.Analyzer+%22Virus%22+%29+%28+and+%28+notContains+EPOEvents.ThreatName+%22Common+Standard%22+%29+%28+notContains+EPOEvents.ThreatName+%22Standard%22+%29+%28+notContains+EPOEvents.ThreatName+%22Maximum%22+%29+%28+notContains+EPOEvents.ThreatName+%22CommonOn%22+%29+%29+%29+%29
query:summary?orion.query.type=summary.multigroup&orion.sum.query=true&orion.sum.group.by=EPOEvents.ReceivedUTC%3AEPOEvents.ThreatName%3AEPOEvents.AnalyzerHostName%3AEPOEvents.TargetFileName&orion.sum.time.cols=true&orion.sum.time.unit=day&orion.sum.order=oldest%3Adesc%3Adesc%3Adesc&orion.sum.aggregation=count&orion.sum.aggregation.showTotal=true
1 1 1 1 0 /console/createDashboardContainer.do 60 MIN
dashboardElement:config?database= false EMAIL - EXEC - Executable
Breakdown of Viruses and Malware found in the Last Week Removed
Common and Mcafee Protection detections EPOEvents
query:table?orion.table.columns=EPOEvents.DetectedUTC%3AEPOEvents.TargetHostName%3AEPOEvents.ThreatName%3AEPOEvents.AnalyzerDATVersion%3AEPOEvents.ThreatCategory%3AEPOEvents.ThreatHandled%3AEPOEvents.ThreatActionTaken%3AEPOEvents.ThreatType&orion.table.order.by=EPOEvents.DetectedUTC%3AEPOEvents.TargetHostName%3AEPOEvents.ThreatName%3AEPOEvents.AnalyzerDATVersion%3AEPOEvents.ThreatCategory%3AEPOEvents.ThreatHandled%3AEPOEvents.ThreatActionTaken%3AEPOEvents.ThreatType&orion.table.order=az
query:condition?orion.condition.sexp=%28+where+%28+and+%28+newerThan+EPOEvents.ReceivedUTC+604800000++%29+%28+threatcategory_not_belongs+EPOEvents.ThreatCategory+%22ops%22+%29+%28+contains+EPOEvents.Analyzer+%22Virus%22+%29+%28+and+%28+notContains+EPOEvents.ThreatName+%22Common+Standard%22+%29+%28+notContains+EPOEvents.ThreatName+%22Standard%22+%29+%28+notContains+EPOEvents.ThreatName+%22Maximum%22+%29+%28+notContains+EPOEvents.ThreatName+%22CommonOn%22+%29+%29+%29+%29
query:summary?orion.query.type=pie.pie&orion.sum.query=true&show.percentage=true&orion.sum.group.by=EPOEvents.TargetFileName&orion.sum.order=desc&orion.sum.limit.count=360&orion.show.other=true&orion.sum.aggregation=count&orion.sum.aggregation.showTotal=true
2 1 1 0 1 /console/createDashboardContainer.do 60 MIN
dashboardElement:config?database= false Dashboard-DLP Events -
Serial Numbers-COMPATIBLEID_DISPLAYNAME_VendorID_Last Week Full
Report of Removable Storage and MTP Devices....this can be filtered
to find Vendor ID...05AC for Apple, 12D1 for Huawei. ....Large
report due to multiple entries per device to capture all Evidence.
DLP_EventView
query:table?orion.table.columns=DLP_EventView.LocalTime%3ADLP_EventView.UTCTime%3ADLP_EventView.Score%3ADLP_EventView.FocusDisplay%3ADLP_EventView.RuleIDSet_DisplayName%3ADLP_EventView.ComputerName%3ADLP_EventView.UserName%3ADLP_EvidenceTypeAndValue.EvidenceType%3ADLP_EvidenceTypeAndValue.EvidenceValue&orion.table.order=az&orion.table.order.by=DLP_EventView.LocalTime%3ADLP_EventView.UTCTime%3ADLP_EventView.Score%3ADLP_EventView.FocusDisplay%3ADLP_EventView.RuleIDSet_DisplayName%3ADLP_EventView.ComputerName%3ADLP_EventView.UserName%3ADLP_EvidenceTypeAndValue.EvidenceType%3ADLP_EvidenceTypeAndValue.EvidenceValue
query:condition?orion.condition.sexp=%28+where+%28+and+%28+and+%28+notContains+DLP_EventView.FocusDisplay+%22teac%22+%29+%28+notContains+DLP_EventView.FocusDisplay+%22reader%22+%29+%28+notContains+DLP_EventView.FocusDisplay+%22CD%22+%29+%28+notContains+DLP_EventView.FocusDisplay+%22SDA%22+%29+%28+notContains+DLP_EventView.FocusDisplay+%22%3A%22+%29+%28+notContains+DLP_EventView.FocusDisplay+%22Intermec%22+%29+%28+notContains+DLP_EventView.FocusDisplay+%22Reader%22+%29+%28+notContains+DLP_EventView.FocusDisplay+%22Multi-%22+%29+%28+notContains+DLP_EventView.FocusDisplay+%22HS-%22+%29+%28+notContains+DLP_EventView.FocusDisplay+%22photosmart%22+%29+%28+notContains+DLP_EventView.FocusDisplay+%22officejet%22+%29+%29+%28+newerThan+DLP_EventView.UTCTime+604800000++%29+%28+and+%28+notContains+DLP_EventView.RuleIDSet_DisplayName+%22Wireless%22+%29+%28+notContains+DLP_EventView.RuleIDSet_DisplayName+%22Allow%22+%29+%28+notContains+DLP_EventView.RuleIDSet_DisplayName+%22Exemption%22+%29+%29+%28+or+%28+eq+DLP_EvidenceTypeAndValue.EvidenceType+%22COMPATIBLE_ID%22+%29+%28+eq+DLP_EvidenceTypeAndValue.EvidenceType+%22SERIAL_NUMBER%22+%29+%28+eq+DLP_EvidenceTypeAndValue.EvidenceType+%22DISPLAY_NAME%22+%29+%28+eq+DLP_EvidenceTypeAndValue.EvidenceType+%22VOLUME_SERIAL_NUMBER%22+%29+%28+eq+DLP_EvidenceTypeAndValue.EvidenceType+%22VENDOR_ID%22+%29+%29+%29+%29
query:summary?orion.sum.query=true&orion.query.type=summary.topn&orion.sum.group.by=DLP_EventView.EventType&orion.sum.order=desc&orion.sum.aggregation=count&orion.sum.aggregation.showTotal=true
3 1 1 1 1 /console/createDashboardContainer.do 60 MIN
dashboardElement:config?database= false EMAIL - EXEC - DLP
Incidents for Last Week By Unique Computer DLP_EventView
query:table?orion.table.columns=DLP_EventView.EventRowID%3ADLP_EventView.EventType%3ADLP_EventView.LocalTime%3ADLP_EventView.UTCTime%3ADLP_EventView.Online%3ADLP_EventView.Score%3ADLP_EventView.FocusDisplay%3ADLP_EventView.RuleIDSet_DisplayName%3ADLP_EventView.FileType_DisplayName%3ADLP_EventView.ApplicationSet_DisplayName%3ADLP_EventView.TagSet_DisplayName%3ADLP_EventView.ComputerName%3ADLP_EventView.UserName%3ADLP_EventView.Policy_Name%3ADLP_EventView.Policy_DateModified%3ADLP_EventView.AgentVersion%3ADLP_EventView.EvidenceLocationPrefix%3ADLP_EventView.XmlDLP_fn_EvidenceCount%3ADLP_EventView.EventType_Administrative%3ADLP_EventView.TotalNumberOfCategoriesAndTags%3ADLP_EventView.TotalNumberOfHits%3ADLP_EventView.TotalContentSize%3ADLP_EventView.ProcessInfo_Product%3ADLP_EventView.ProcessInfo_FileName%3ADLP_EventView.ProcessInfo_MD5&orion.table.order=az&orion.table.order.by=DLP_EventView.EventRowID%3ADLP_EventView.EventType%3ADLP_EventView.LocalTime%3ADLP_EventView.UTCTime%3ADLP_EventView.Online%3ADLP_EventView.Score%3ADLP_EventView.FocusDisplay%3ADLP_EventView.RuleIDSet_DisplayName%3ADLP_EventView.FileType_DisplayName%3ADLP_EventView.ApplicationSet_DisplayName%3ADLP_EventView.TagSet_DisplayName%3ADLP_EventView.ComputerName%3ADLP_EventView.UserName%3ADLP_EventView.Policy_Name%3ADLP_EventView.Policy_DateModified%3ADLP_EventView.AgentVersion%3ADLP_EventView.EvidenceLocationPrefix%3ADLP_EventView.XmlDLP_fn_EvidenceCount%3ADLP_EventView.EventType_Administrative%3ADLP_EventView.TotalNumberOfCategoriesAndTags%3ADLP_EventView.TotalNumberOfHits%3ADLP_EventView.TotalContentSize%3ADLP_EventView.ProcessInfo_Product%3ADLP_EventView.ProcessInfo_FileName%3ADLP_EventView.ProcessInfo_MD5
query:condition?orion.condition.sexp=%28+where+%28+and+%28+newerThan+DLP_EventView.LocalTime+604800000++%29+%28+and+%28+notContains+DLP_EventView.FocusDisplay+%22teac%22+%29+%28+notContains+DLP_EventView.FocusDisplay+%22cd%22+%29+%28+notContains+DLP_EventView.FocusDisplay+%22dvd%22+%29+%28+notContains+DLP_EventView.FocusDisplay+%22sda%22+%29+%28+notContains+DLP_EventView.FocusDisplay+%22HP%22+%29+%28+notContains+DLP_EventView.FocusDisplay+%22HS-%22+%29+%28+notContains+DLP_EventView.FocusDisplay+%22%3A%22+%29+%28+notContains+DLP_EventView.FocusDisplay+%22reader%22+%29+%29+%28+or+%28+contains+DLP_EventView.RuleIDSet_DisplayName+%22portable%22+%29+%28+contains+DLP_EventView.RuleIDSet_DisplayName+%22USB%22+%29+%28+contains+DLP_EventView.RuleIDSet_DisplayName+%22Huawei%22+%29+%29+%29+%29
query:summary?orion.query.type=pie.pie&orion.sum.query=true&show.percentage=true&orion.sum.group.by=DLP_EventView.FocusDisplay&orion.sum.order=desc&orion.sum.limit.count=360&orion.sum.aggregation=distinct&orion.sum.aggregation.column=DLP_EventView.ComputerName&orion.sum.aggregation.showTotal=true
HBSS
Dashboards/Incident_Handling_and_EXEC_Reporting_-_DLP_and_CDV_Events-Dashboard.xml
Incident Handling and EXEC Reporting - DLP and CDV Events false 0 1
1 0 0 /console/createDashboardContainer.do 5 MIN false EMAIL - EXEC
- DLP Incidents for Last Week By Unique Computer DLP_EventView
query:table?orion.table.columns=DLP_EventView.EventRowID%3ADLP_EventView.EventType%3ADLP_EventView.LocalTime%3ADLP_EventView.UTCTime%3ADLP_EventView.Online%3ADLP_EventView.Score%3ADLP_EventView.FocusDisplay%3ADLP_EventView.RuleIDSet_DisplayName%3ADLP_EventView.FileType_DisplayName%3ADLP_EventView.ApplicationSet_DisplayName%3ADLP_EventView.TagSet_DisplayName%3ADLP_EventView.ComputerName%3ADLP_EventView.UserName%3ADLP_EventView.Policy_Name%3ADLP_EventView.Policy_DateModified%3ADLP_EventView.AgentVersion%3ADLP_EventView.EvidenceLocationPrefix%3ADLP_EventView.XmlDLP_fn_EvidenceCount%3ADLP_EventView.EventType_Administrative%3ADLP_EventView.TotalNumberOfCategoriesAndTags%3ADLP_EventView.TotalNumberOfHits%3ADLP_EventView.TotalContentSize%3ADLP_EventView.ProcessInfo_Product%3ADLP_EventView.ProcessInfo_FileName%3ADLP_EventView.ProcessInfo_MD5&orion.table.order=az&orion.table.order.by=DLP_EventView.EventRowID%3ADLP_EventView.EventType%3ADLP_EventView.LocalTime%3ADLP_EventView.UTCTime%3ADLP_EventView.Online%3ADLP_EventView.Score%3ADLP_EventView.FocusDisplay%3ADLP_EventView.RuleIDSet_DisplayName%3ADLP_EventView.FileType_DisplayName%3ADLP_EventView.ApplicationSet_DisplayName%3ADLP_EventView.TagSet_DisplayName%3ADLP_EventView.ComputerName%3ADLP_EventView.UserName%3ADLP_EventView.Policy_Name%3ADLP_EventView.Policy_DateModified%3ADLP_EventView.AgentVersion%3ADLP_EventView.EvidenceLocationPrefix%3ADLP_EventView.XmlDLP_fn_EvidenceCount%3ADLP_EventView.EventType_Administrative%3ADLP_EventView.TotalNumberOfCategoriesAndTags%3ADLP_EventView.TotalNumberOfHits%3ADLP_EventView.TotalContentSize%3ADLP_EventView.ProcessInfo_Product%3ADLP_EventView.ProcessInfo_FileName%3ADLP_EventView.ProcessInfo_MD5
query:condition?orion.condition.sexp=%28+where+%28+and+%28+newerThan+DLP_EventView.LocalTime+604800000++%29+%28+and+%28+notContains+DLP_EventView.FocusDisplay+%22teac%22+%29+%28+notContains+DLP_EventView.FocusDisplay+%22cd%22+%29+%28+notContains+DLP_EventView.FocusDisplay+%22dvd%22+%29+%28+notContains+DLP_EventView.FocusDisplay+%22sda%22+%29+%28+notContains+DLP_EventView.FocusDisplay+%22HP%22+%29+%28+notContains+DLP_EventView.FocusDisplay+%22HS-%22+%29+%28+notContains+DLP_EventView.FocusDisplay+%22%3A%22+%29+%28+notContains+DLP_EventView.FocusDisplay+%22reader%22+%29+%29+%28+or+%28+contains+DLP_EventView.RuleIDSet_DisplayName+%22portable%22+%29+%28+contains+DLP_EventView.RuleIDSet_DisplayName+%22USB%22+%29+%28+contains+DLP_EventView.RuleIDSet_DisplayName+%22Huawei%22+%29+%29+%29+%29
query:summary?orion.query.type=pie.pie&orion.sum.query=true&show.percentage=true&orion.sum.group.by=DLP_EventView.FocusDisplay&orion.sum.order=desc&orion.sum.limit.count=360&orion.sum.aggregation=distinct&orion.sum.aggregation.column=DLP_EventView.ComputerName&orion.sum.aggregation.showTotal=true
1 1 1 1 0 /console/createDashboardContainer.do 5 MIN false EMAIL -
DLP - Wireless NICs Active - Last Week By Number of Computers
DLP_EventView
query:table?orion.table.columns=DLP_EventView.EventRowID%3ADLP_EventView.LocalTime%3ADLP_EventView.UTCTime%3ADLP_EventView.ReactionSet_DisplayName%3ADLP_EventView.FocusDisplay%3ADLP_EventView.ComputerName%3ADLP_EventView.UserName%3ADLP_EventView.Policy_Name&orion.table.order.by=DLP_EventView.EventRowID%3ADLP_EventView.LocalTime%3ADLP_EventView.UTCTime%3ADLP_EventView.ReactionSet_DisplayName%3ADLP_EventView.FocusDisplay%3ADLP_EventView.ComputerName%3ADLP_EventView.UserName%3ADLP_EventView.Policy_Name&orion.table.order=az
query:condition?orion.condition.sexp=%28+where+%28+and+%28+newerThan+DLP_EventView.LocalTime+604800000++%29+%28+contains+DLP_EventView.RuleIDSet_DisplayName+%22Wireless%22+%29+%29+%29
query:summary?orion.query.type=pie.pie&orion.sum.query=true&show.percentage=true&orion.sum.group.by=DLP_EventView.FocusDisplay&orion.sum.order=desc&orion.sum.limit.count=360&orion.sum.aggregation=distinct&orion.sum.aggregation.column=DLP_EventView.ComputerName&orion.sum.aggregation.showTotal=true
2 1 1 0 1 /console/createDashboardContainer.do 5 MIN false
core.queryFactory:query.2032 3 1 1 1 1
/console/createDashboardContainer.do 5 MIN false EMAIL - Possible
Personal PCs RSDDetectedSystems
query:table?orion.table.columns=RSDDetectedSystems.NetbiosName%3ARSDDetectedSystems.DnsName%3ARSDDetectedSystems.Users%3ARSDDetectedSystems.Domain&orion.table.order.by=RSDDetectedSystems.NetbiosName%3ARSDDetectedSystems.DnsName%3ARSDDetectedSystems.Users%3ARSDDetectedSystems.Domain&orion.table.order=az
query:condition?orion.condition.sexp=%28+where+%28+and+%28+eq+RSDDetectedSystems.Rogue+t+%29+%28+newerThan+RSDDetectedSystems.LastDetectedTime+604800000++%29+%28+or+%28+contains+RSDDetectedSystems.FriendlyName+%22-PC%22+%29+%28+contains+RSDDetectedSystems.FriendlyName+%22Sony%22+%29+%29+%29+%29
query:summary?orion.query.type=pie.pie&orion.sum.query=true&show.percentage=true&orion.sum.group.by=RSDDetectedSystems.FriendlyName&orion.sum.order=desc&orion.sum.limit.count=360&orion.show.other=true&orion.sum.aggregation=count&orion.sum.aggregation.showTotal=true
HBSS
Dashboards/Incident_Handling_and_EXEC_Reporting_-_HIPS_Events-Dashboard.xml
Incident Handling and EXEC Reporting - HIPS Events false 0 1 1 0 0
/console/createDashboardContainer.do 5 MIN false MONITOR: INCIDENT
DETECTION (24hr) Critical signatures which should be investigated
immediately as they may indicate compromise or attempted compromise
of the system. EPOEvents
query:table?orion.table.columns=EPOEvents.DetectedUTC%3AEPOEvents.ReceivedUTC%3AEPOEvents.AnalyzerHostName%3AEPOEvents.ThreatActionTaken%3AEPOEvents.ThreatName%3AHIP7_SigNameXlate.SignatureName%3AEPOEvents.SourceProcessName%3AEPOEvents.TargetFileName&orion.table.order=az&orion.table.order.by=EPOEvents.DetectedUTC%3AEPOEvents.ReceivedUTC%3AEPOEvents.AnalyzerHostName%3AEPOEvents.ThreatActionTaken%3AEPOEvents.ThreatName%3AHIP7_SigNameXlate.SignatureName%3AEPOEvents.SourceProcessName%3AEPOEvents.TargetFileName
query:condition?orion.condition.sexp=%28+where+%28+and+%28+newerThan+EPOEvents.ReceivedUTC+86400000++%29+%28+or+%28+eq+EPOEvents.ThreatName+%222641%22+%29+%28+eq+EPOEvents.ThreatName+%222722%22+%29+%28+eq+EPOEvents.ThreatName+%222740%22+%29+%28+eq+EPOEvents.ThreatName+%222640%22+%29+%28+eq+EPOEvents.ThreatName+%223905%22+%29+%28+eq+EPOEvents.ThreatName+%22428%22+%29+%28+eq+EPOEvents.ThreatName+%22344%22+%29+%28+eq+EPOEvents.ThreatName+%22990%22+%29+%28+eq+EPOEvents.ThreatName+%222661%22+%29+%29+%29+%29
query:summary?bar.title=EPOEvents.ThreatName&orion.query.type=bar.bar&orion.sum.query=true&orion.sum.group.by=EPOEvents.ThreatName&orion.sum.order=desc&orion.show.other=false&orion.sum.aggregation=count&orion.sum.aggregation.showTotal=true
1 1 1 1 0 /console/createDashboardContainer.do 5 MIN false MONITOR:
HIPS Port Scan Events by Attacker TREND report showing network
scanning IPS events over time EPOEvents
query:table?orion.table.columns=EPOEvents.DetectedUTC%3AEPOEvents.Analyzer%3AEPOEvents.AnalyzerHostName%3AEPOEvents.AnalyzerIPV4%3AEPOEvents.TargetHostName%3AEPOEvents.TargetIPV4%3AEPOEvents.ThreatCategory%3AEPOEvents.ThreatEventID%3AEPOEvents.ThreatSeverity%3AEPOEvents.ThreatName%3AEPOEvents.SourceHostName%3AEPOEvents.SourceIPV4%3AEPOEvents.TargetPort&orion.table.order.by=EPOEvents.DetectedUTC%3AEPOEvents.Analyzer%3AEPOEvents.AnalyzerHostName%3AEPOEvents.AnalyzerIPV4%3AEPOEvents.TargetHostName%3AEPOEvents.TargetIPV4%3AEPOEvents.ThreatCategory%3AEPOEvents.ThreatEventID%3AEPOEvents.ThreatSeverity%3AEPOEvents.ThreatName%3AEPOEvents.SourceHostName%3AEPOEvents.SourceIPV4%3AEPOEvents.TargetPort&orion.table.order=az
query:condition?orion.condition.sexp=%28+where+%28+and+%28+eq+EPOEvents.Analyzer+%22HOSTIPS_META%22+%29+%28+or+%28+eq+EPOEvents.ThreatName+%223700%22+%29+%28+eq+EPOEvents.ThreatName+%223701%22+%29+%29+%28+newerThan+EPOEvents.ReceivedUTC+604800000++%29+%29+%29
query:summary?bar.title=EPOEvents.SourceIPV4&orion.query.type=bar.bar&orion.sum.query=true&orion.sum.group.by=EPOEvents.SourceIPV4&orion.sum.order=desc&orion.show.other=false&orion.sum.aggregation=count&orion.sum.aggregation.showTotal=true
2 1 1 2 0 /console/createDashboardContainer.do 5 MIN false MONITOR:
Application Blocking Events (24hrs) Displays application blocking
events EPOEvents
query:table?orion.table.columns=EPOEvents.DetectedUTC%3AEPOEvents.AnalyzerIPV4%3AEPOEvents.ThreatType%3AEPOEvents.SourceIPV4%3AEPOEvents.SourceProcessName%3AEPOEvents.TargetIPV4%3AEPOEvents.TargetProcessName&orion.table.order.by=EPOEvents.DetectedUTC%3AEPOEvents.AnalyzerIPV4%3AEPOEvents.ThreatType%3AEPOEvents.SourceIPV4%3AEPOEvents.SourceProcessName%3AEPOEvents.TargetIPV4%3AEPOEvents.TargetProcessName&orion.table.order=az
query:condition?orion.condition.sexp=%28+where+%28+and+%28+eq+EPOEvents.Analyzer+%22HOSTIPS_META%22+%29+%28+eq+EPOEvents.ThreatEventID+18002++%29+%28+newerThan+EPOEvents.DetectedUTC+86400000++%29+%29+%29
query:summary?bar.title=EPOEvents.SourceURL&orion.query.type=bar.bar&orion.sum.query=true&orion.sum.group.by=EPOEvents.SourceURL&orion.sum.order=desc&orion.show.other=false&orion.sum.aggregation=count&orion.sum.aggregation.showTotal=true
4 1 1 1 1 /console/createDashboardContainer.do 5 MIN false TREND:
HIPS Port Scan Network IPS Events 3 Months TREND report showing
network scanning IPS events over time (last 3 months) EPOEvents
query:table?orion.table.columns=EPOEvents.DetectedUTC%3AEPOEvents.Analyzer%3AEPOEvents.TargetHostName%3AEPOEvents.TargetIPV4%3AEPOEvents.ThreatCategory%3AEPOEvents.ThreatEventID%3AEPOEvents.ThreatSeverity%3AEPOEvents.ThreatName&orion.table.order=az&orion.table.order.by=EPOEvents.DetectedUTC%3AEPOEvents.Analyzer%3AEPOEvents.TargetHostName%3AEPOEvents.TargetIPV4%3AEPOEvents.ThreatCategory%3AEPOEvents.ThreatEventID%3AEPOEvents.ThreatSeverity%3AEPOEvents.ThreatName
query:condition?orion.requied.sexp=%28+where+%28+newerThan+EPOEvents.DetectedUTC+7862400000++%29+%29&orion.condition.sexp=%28+where+%28+and+%28+contains+EPOEvents.Analyzer+%22HOST%22+%29+%28+eq+EPOEvents.ThreatSeverity+2++%29+%28+or+%28+eq+EPOEvents.ThreatName+%223700%22+%29+%28+eq+EPOEvents.ThreatName+%223701%22+%29+%29+%29+%29
query:summary?orion.query.type=line.line&orion.sum.query=true&line.title=EPOEvents.DetectedUTC&orion.sum.group.by=EPOEvents.DetectedUTC&orion.sum.time.cols=true&orion.sum.time.unit=day&orion.sum.order=newest&orion.sum.aggregation=count&orion.sum.aggregation.showTotal=true
5 1 1 2 1 /console/createDashboardContainer.do 5 MIN false MONITOR:
CROSS DOMAIN VIOLATIONS (Last 24 Hours) Reports on cross-domain
violations (SIPR on NIPR) in the last 24 Hours by IP address. KJC
RSDDetectedSystems
query:table?orion.table.columns=RSDDetectedSystems.NetbiosName%3ARSDDetectedSystems.DnsName%3ARSDDetectedSystems.Users%3ARSDDetectedSystems.LastDetectedTime&orion.table.order=az&orion.table.order.by=RSDDetectedSystems.NetbiosName%3ARSDDetectedSystems.DnsName%3ARSDDetectedSystems.Users%3ARSDDetectedSystems.LastDetectedTime
query:condition?orion.condition.sexp=%28+where+%28+and+%28+newerThan+RSDDetectedSystems.LastDetectedTime+86400000++%29+%28+and+%28+contains+RSDDetectedSystems.DnsName+%22ds.army.smil.mil%22+%29+%28+contains+RSDDetectedSystems.DnsName+%22cmil.mil%22+%29+%29+%29+%29
query:summary?orion.sum.query=true&orion.query.type=summary.topn&orion.sum.group.by=RSDDetectedSystems.DnsName&orion.sum.order=desc&orion.sum.aggregation=count&orion.sum.aggregation.showTotal=true
7 1 1 0 1 /console/createDashboardContainer.do 0 MIN
dashboardElement:config?database= true Pie Chart - HIPS Events
Breakdown by ID in Last Day EPOEvents
query:table?orion.table.columns=EPOEvents.DetectedUTC%3AEPOEvents.TargetHostName%3AEPOEvents.ThreatName&orion.table.order=az&orion.table.order.by=EPOEvents.DetectedUTC%3AEPOEvents.TargetHostName%3AEPOEvents.ThreatName
query:condition?orion.condition.sexp=%28+where+%28+and+%28+newerThan+EPOEvents.DetectedUTC+86400000++%29+%28+eq+EPOEvents.Analyzer+%22HOSTIPS_8000%22+%29+%29+%29
query:summary?orion.query.type=pie.pie&orion.sum.query=true&show.percentage=false&orion.sum.group.by=EPOEvents.ThreatName&orion.sum.order=desc&orion.sum.limit.count=360&orion.sum.aggregation=count&orion.sum.aggregation.showTotal=true
HBSS
Dashboards/Incident_Handling_and_EXEC_Reporting_-_MALWARE-Dashboard.xml
Incident Handling and EXEC Reporting - MALWARE false 0 1 1 0 0
/console/createDashboardContainer.do 60 MIN
dashboardElement:config?database= false EMAIL -EXEC-BARCHART-
Viruses and Malware Count by Site Removed Common and Mcafee
Protection detections EPOEvents
query:table?orion.table.columns=EPOEvents.DetectedUTC%3AEPOEvents.TargetHostName%3AEPOEvents.ThreatName%3AEPOEvents.AnalyzerDATVersion%3AEPOEvents.ThreatCategory%3AEPOEvents.ThreatHandled%3AEPOEvents.ThreatActionTaken%3AEPOEvents.ThreatType&orion.table.order=az&orion.table.order.by=EPOEvents.DetectedUTC%3AEPOEvents.TargetHostName%3AEPOEvents.ThreatName%3AEPOEvents.AnalyzerDATVersion%3AEPOEvents.ThreatCategory%3AEPOEvents.ThreatHandled%3AEPOEvents.ThreatActionTaken%3AEPOEvents.ThreatType
query:condition?orion.condition.sexp=%28+where+%28+and+%28+newerThan+EPOEvents.ReceivedUTC+604800000++%29+%28+threatcategory_not_belongs+EPOEvents.ThreatCategory+%22ops%22+%29+%28+contains+EPOEvents.Analyzer+%22Virus%22+%29+%28+and+%28+notContains+EPOEvents.ThreatName+%22Common+Standard%22+%29+%28+notContains+EPOEvents.ThreatName+%22Standard%22+%29+%28+notContains+EPOEvents.ThreatName+%22Maximum%22+%29+%28+notContains+EPOEvents.ThreatName+%22CommonOn%22+%29+%29+%29+%29
query:summary?orion.query.type=bar.groupedbar&orion.sum.query=true&orion.sum.group.by=EPOBranchNode.NodeName%3AEPOEvents.ThreatName&orion.sum.order=desc%3Adesc&orion.sum.limit.count=10%3A10&orion.sum.aggregation=distinct&orion.sum.aggregation.column=EPOEvents.AnalyzerHostName&orion.sum.aggregation.showTotal=true
1 1 1 1 0 /console/createDashboardContainer.do 60 MIN
dashboardElement:config?database= false EMAIL - EXEC - Malware
Trend for the Last 2 Weeks By Unique Computer Name Removed Common
and Mcafee Protection detections EPOEvents
query:table?orion.table.columns=EPOEvents.DetectedUTC%3AEPOEvents.TargetHostName%3AEPOEvents.ThreatName%3AEPOEvents.AnalyzerDATVersion%3AEPOEvents.ThreatCategory%3AEPOEvents.ThreatHandled%3AEPOEvents.ThreatActionTaken%3AEPOEvents.ThreatType&orion.table.order=az&orion.table.order.by=EPOEvents.DetectedUTC%3AEPOEvents.TargetHostName%3AEPOEvents.ThreatName%3AEPOEvents.AnalyzerDATVersion%3AEPOEvents.ThreatCategory%3AEPOEvents.ThreatHandled%3AEPOEvents.ThreatActionTaken%3AEPOEvents.ThreatType
query:condition?orion.requied.sexp=%28+where+%28+newerThan+EPOEvents.DetectedUTC+1209600000++%29+%29&orion.condition.sexp=%28+where+%28+and+%28+threatcategory_not_belongs+EPOEvents.ThreatCategory+%22ops%22+%29+%28+contains+EPOEvents.Analyzer+%22Virus%22+%29+%28+and+%28+notContains+EPOEvents.ThreatName+%22Common+Standard%22+%29+%28+notContains+EPOEvents.ThreatName+%22Standard%22+%29+%28+notContains+EPOEvents.ThreatName+%22Maximum%22+%29+%28+notContains+EPOEvents.ThreatName+%22CommonOn%22+%29+%29+%29+%29
query:summary?orion.query.type=line.line&orion.sum.query=true&orion.sum.group.by=EPOEvents.DetectedUTC&orion.sum.time.cols=true&orion.sum.time.unit=day&orion.sum.order=oldest&orion.sum.aggregation=distinct&orion.sum.aggregation.column=EPOEvents.AnalyzerHostName&orion.sum.aggregation.showTotal=true
2 1 1 0 1 /console/createDashboardContainer.do 60 MIN
dashboardElement:config?database= false EMAIL - EXEC - Viruses and
Malware found in the Last Week By Unique Computer Name Removed
Common and Mcafee Protection detections EPOEvents
query:table?orion.table.columns=EPOEvents.DetectedUTC%3AEPOEvents.TargetHostName%3AEPOEvents.ThreatName%3AEPOEvents.AnalyzerDATVersion%3AEPOEvents.ThreatCategory%3AEPOEvents.ThreatHandled%3AEPOEvents.ThreatActionTaken%3AEPOEvents.ThreatType%3AEPOEvents.TargetFileName%3AEPOEvents.SourceURL&orion.table.order=az&orion.table.order.by=EPOEvents.DetectedUTC%3AEPOEvents.TargetHostName%3AEPOEvents.ThreatName%3AEPOEvents.AnalyzerDATVersion%3AEPOEvents.ThreatCategory%3AEPOEvents.ThreatHandled%3AEPOEvents.ThreatActionTaken%3AEPOEvents.ThreatType%3AEPOEvents.TargetFileName%3AEPOEvents.SourceURL
query:condition?orion.condition.sexp=%28+where+%28+and+%28+newerThan+EPOEvents.ReceivedUTC+604800000++%29+%28+threatcategory_not_belongs+EPOEvents.ThreatCategory+%22ops%22+%29+%28+contains+EPOEvents.Analyzer+%22Virus%22+%29+%28+and+%28+notContains+EPOEvents.ThreatName+%22Common+Standard%22+%29+%28+notContains+EPOEvents.ThreatName+%22Standard%22+%29+%28+notContains+EPOEvents.ThreatName+%22Maximum%22+%29+%28+notContains+EPOEvents.ThreatName+%22CommonOn%22+%29+%29+%29+%29
query:summary?orion.query.type=pie.pie&orion.sum.query=true&show.percentage=true&orion.sum.group.by=EPOEvents.ThreatName&orion.sum.order=desc&orion.sum.limit.count=360&orion.show.other=true&orion.sum.aggregation=distinct&orion.sum.aggregation.column=EPOEvents.AnalyzerHostName&orion.sum.aggregation.showTotal=true
3 1 1 1 1 /console/createDashboardContainer.do 60 MIN
dashboardElement:config?database= false EMAIL - EXEC - User
Breakdown of Viruses and Malware found in the Last Week Removed
Common and Mcafee Protection detections EPOEvents
query:table?orion.table.columns=EPOEvents.DetectedUTC%3AEPOEvents.TargetHostName%3AEPOEvents.ThreatName%3AEPOEvents.AnalyzerDATVersion%3AEPOEvents.ThreatCategory%3AEPOEvents.ThreatHandled%3AEPOEvents.ThreatActionTaken%3AEPOEvents.ThreatType&orion.table.order.by=EPOEvents.DetectedUTC%3AEPOEvents.TargetHostName%3AEPOEvents.ThreatName%3AEPOEvents.AnalyzerDATVersion%3AEPOEvents.ThreatCategory%3AEPOEvents.ThreatHandled%3AEPOEvents.ThreatActionTaken%3AEPOEvents.ThreatType&orion.table.order=az
query:condition?orion.condition.sexp=%28+where+%28+and+%28+newerThan+EPOEvents.ReceivedUTC+604800000++%29+%28+threatcategory_not_belongs+EPOEvents.ThreatCategory+%22ops%22+%29+%28+contains+EPOEvents.Analyzer+%22Virus%22+%29+%28+and+%28+notContains+EPOEvents.ThreatName+%22Common+Standard%22+%29+%28+notContains+EPOEvents.ThreatName+%22Standard%22+%29+%28+notContains+EPOEvents.ThreatName+%22Maximum%22+%29+%28+notContains+EPOEvents.ThreatName+%22CommonOn%22+%29+%29+%29+%29
query:summary?orion.query.type=pie.pie&orion.sum.query=true&show.percentage=true&orion.sum.group.by=EPOEvents.TargetUserName&orion.sum.order=desc&orion.sum.limit.count=360&orion.show.other=true&orion.sum.aggregation=count&orion.sum.aggregation.showTotal=true
HBSS
Dashboards/Incident_Handling_and_EXEC_Reporting_-_Network_Inventory_and_Information-Dashboard.xml
Incident Handling and EXEC Reporting - Network Inventory and
Information false 0 1 1 0 0 /console/createDashboardContainer.do 0
MIN dashboardElement:config?database= false Email - EXEC- Managed
Systems by Platform - Last Week EPOLeafNode
query:table?orion.table.columns=EPOLeafNode.LastUpdate%3AEPOLeafNode.NodeName&orion.table.order.by=EPOLeafNode.LastUpdate%3AEPOLeafNode.NodeName&orion.table.order=az
query:condition?orion.condition.sexp=%28+where+%28+newerThan+EPOLeafNode.LastUpdate+604800000++%29+%29
query:summary?orion.query.type=pie.pie&orion.sum.query=true&show.percentage=false&orion.sum.group.by=EPOComputerProperties.OSType&orion.sum.order=desc&orion.sum.limit.count=360&orion.sum.aggregation=count&orion.sum.aggregation.showTotal=true
1 1 1 1 0 /console/createDashboardContainer.do 0 MIN
dashboardElement:config?database= false EMAIL - EXEC - Rogues
Detected in the Last Week By Domain RSDDetectedSystems
query:table?orion.table.columns=RSDDetectedSystems.NetbiosName%3ARSDDetectedSystems.DnsName%3ARSDDetectedSystems.Users%3ARSDDetectedSystems.Domain&orion.table.order.by=RSDDetectedSystems.NetbiosName%3ARSDDetectedSystems.DnsName%3ARSDDetectedSystems.Users%3ARSDDetectedSystems.Domain&orion.table.order=az
query:condition?orion.condition.sexp=%28+where+%28+and+%28+eq+RSDDetectedSystems.Rogue+t+%29+%28+newerThan+RSDDetectedSystems.LastDetectedTime+604800000++%29+%29+%29
query:summary?orion.query.type=pie.pie&orion.sum.query=true&show.percentage=true&orion.sum.group.by=RSDDetectedSystems.Domain&orion.sum.order=desc&orion.sum.limit.count=360&orion.show.other=true&orion.sum.aggregation=count&orion.sum.aggregation.showTotal=true
2 1 1 0 1 /console/createDashboardContainer.do 0 MIN
dashboardElement:config?database= false (ER) AntiVirus Content
Status Displays the current McAfee and Symantec AntiVirus DAT
content distribution. EPOLeafNode
query:table?orion.table.columns=EPOComputerProperties.ComputerName%3AEPOComputerProperties.OSType%3AEPOLeafNode.LastUpdate%3AERP_View_EPOProductProperties.ProductCode%3AERP_View_EPOProductProperties.ProductVersion%3AERP_View_EPOProductProperties.Hotfix%3AERP_View_EPOProductProperties.DATVer%3AERP_View_EPOProductProperties.DATDate&orion.table.order.by=EPOComputerProperties.ComputerName%3AEPOComputerProperties.OSType%3AEPOLeafNode.LastUpdate%3AERP_View_EPOProductProperties.ProductCode%3AERP_View_EPOProductProperties.ProductVersion%3AERP_View_EPOProductProperties.Hotfix%3AERP_View_EPOProductProperties.DATVer%3AERP_View_EPOProductProperties.DATDate&orion.table.order=az
query:condition?orion.condition.sexp=%28+where+%28+and+%28+newerThan+EPOLeafNode.LastUpdate+2592000000++%29+%28+contains+EPOComputerProperties.OSType+%22Windows%22+%29+%28+or+%28+startsWith+ERP_View_EPOProductProperties.ProductCode+%22VIRUSCAN%22+%29+%28+startsWith+ERP_View_EPOProductProperties.ProductCode+%22S_SEP_%22+%29+%28+startsWith+ERP_View_EPOProductProperties.ProductCode+%22S_SAV_%22+%29+%29+%29+%29
query:summary?orion.query.type=pie.pie&orion.sum.query=true&show.percentage=true&orion.sum.group.by=ERP_View_EPOProductProperties.DATVer&orion.sum.order=desc&orion.sum.limit.count=360&orion.sum.aggregation=count&orion.sum.aggregation.showTotal=true
3 1 1 1 1 /console/createDashboardContainer.do 0 MIN
dashboardElement:config?database= false Total percentage of Managed
Systems Compliant with OPORD 12-1016 EPOLeafNode
query:table?orion.table.columns=EPOLeafNode.LastUpdate%3AEPOLeafNode.NodeName&orion.table.order.by=EPOLeafNode.LastUpdate%3AEPOLeafNode.NodeName&orion.table.order=az
query:condition?orion.condition.sexp=%28+where+%28+newerThan+EPOLeafNode.LastUpdate+259200000++%29+%29
query:summary?bool.show.criteria=true&orion.query.type=pie.bool&orion.sum.query=true&show.percentage=true&bool.green.criteria=%28+where+%28+and+%28+version_ge+EPOProdPropsView_VIRUSCAN.productversion+%228.8.0.975%22+%29+%28+withinRepositoryDatVersion+EPOProdPropsView_VIRUSCAN.datver+3++%29+%28+eq+ERP_View_IPS8BlockingSummary.HighSevReaction+3++%29+%28+eq+ERP_View_IPS8BlockingSummary.MedSevReaction+3++%29+%28+version_ge+EPOProdPropsView_DLP.productversion+%229.2.13.2%22+%29+%28+eq+HIP8_Properties.HIPSStatus+%22True%22+%29+%28+eq+HIP8_Properties.FWStatus+%22True%22+%29+%28+version_ge+EPOProdPropsView_USAF_ACCM.productversion+%222.0.0.1129%22+%29+%28+version_ge+EPOProdPropsView_POLICYAUMETA.productversion+%226.0.1.183%22+%29+%28+version_ge+EPOProdPropsView_HOSTIPS.productversion+%228.0.0.2919%22+%29+%28+eq+ERP_View_CAGStatusSummary.LocationEnabled+%22True%22+%29+%29+%29&bool.red.text=Non-Compliant+Overall&bool.green.text=Compliant+with+OPORD+12-1016&orion.sum.aggregation=count&orion.sum.aggregation.showTotal=true
![Mc afee (may 2012) [c & c] flame skywiper](https://img.pdfslide.us/doc/110x75/54840a585906b5c1158b46ee/mc-afee-may-2012-c-c-flame-skywiper.jpg)
