Idea ID 2762339
The Microsoft SCCM DB SmartConnector parser attempts to lookup the ActionID in the EP_ThreatDefaultActions table in order to get an action name. That action name is used in the Event Name and Event Device Action fields.
Unfortunately however the EP_ThreatDefaultActions table does not contain all of the possible ActionIDs e.g. ActionID 9 does not exist in the table, but equates to "No Action" in the console.
Event Name field is mapped to "<Action> <Category> <ActionSuccess>", e.g. "Quarantine Virus Successfully". But when the event involves an ActionID that does not exist in the table such as ActionID 9, Event Name will be set to something like " Virus Successfully".
Event Device Action is mapped to "<Action>", e.g. "Quarantine". But when the event involves an ActionID that does not exist in the table such as ActionID 9, Event Device Action will be blank.
In the Microsoft provided SCCM report "Endpoint Protection - Hidden/Computer malware list.rdl" the Action name is statically mapped to the ActionID using the SQL choose function i.e. choose(CleaningAction, 'Cleaned', 'Quarantined', 'Removed', '4', '5', 'Allowed', '7', 'User Defined', 'No Action', 'Blocked'). So instead of looking up ActionIDs in EP_ThreatDefaultActions, ArcSight should convert ActionIDs to action names in the same way that Microsoft does in their reports, that is by using the given SQL "choose" function.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.