Microsoft SCCM DB SmartConnector - Incomplete event Name field and blank deviceAction - CON-21582

Idea ID 2762339

Microsoft SCCM DB SmartConnector - Incomplete event Name field and blank deviceAction - CON-21582

0 Votes

The Microsoft SCCM DB SmartConnector parser attempts to lookup the ActionID in the EP_ThreatDefaultActions table in order to get an action name. That action name is used in the Event Name and Event Device Action fields.

Unfortunately however the EP_ThreatDefaultActions table does not contain all of the possible ActionIDs e.g. ActionID 9 does not exist in the table, but equates to "No Action" in the console.

Event Name field is mapped to "<Action> <Category> <ActionSuccess>", e.g. "Quarantine Virus Successfully". But when the event involves an ActionID that does not exist in the table such as ActionID 9, Event Name will be set to something like " Virus Successfully".

Event Device Action is mapped to "<Action>", e.g. "Quarantine". But when the event involves an ActionID that does not exist in the table such as ActionID 9, Event Device Action will be blank.

In the Microsoft provided SCCM report "Endpoint Protection - Hidden/Computer malware list.rdl" the Action name is statically mapped to the ActionID using the SQL choose function i.e. choose(CleaningAction, 'Cleaned', 'Quarantined', 'Removed', '4', '5', 'Allowed', '7', 'User Defined', 'No Action', 'Blocked'). So instead of looking up ActionIDs in EP_ThreatDefaultActions, ArcSight should convert ActionIDs to action names in the same way that Microsoft does in their reports, that is by using the given SQL "choose" function.

1 Comment
Micro Focus Contributor
Micro Focus Contributor
Status changed to: Under Consideration
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.