Video Screencast Help

Working with acknowledgements

Created: 08 Apr 2014 • Updated: 11 Apr 2014 | 2 comments
Ben Shorehill's picture

Working with event acknowledgement in Data Center Security Server can be very helpful. It's a great way of keeping track of events as you are tuning a policy. However, if you are dealing with a large amount of events (say in the initial phase of policy tuning) it can be a chore to acknowledge a large amount of events.

Below are a few handy SQL statements to help you work in bulk with these events. Please note that the way I differentiate between prevention and deletion is a kludge as I haven't been able to identify the column in the CSPEVENT table that determines the policy type the event comes from. If someone out there knows what it is, please let me know and I will update the statement.

EDIT: Updated statements to add the more accurate filtering thanks to Chuck's post.

-- This statement will acknowledge any events related to prevention policies

update CSPEVENT

set EVENT_REMEDIATED='1'

where EVENT_TYPE like 'P%'

and EVENT_REMEDIATED='0'

-- And this one acknowledges all detection events

update CSPEVENT

set EVENT_REMEDIATED='1'

where EVENT_TYPE like 'D%'

and EVENT_REMEDIATED='0'

-- This one resets the ackowledgment flag (sets to not ackowledged) on all prevention events for the last 24 hours

update CSPEVENT

set EVENT_REMEDIATED='0'

where EVENT_TYPE like 'P%'

and EVENT_DT between DATEADD(dd,-1,getdate()) and DATEADD(dd,0,getdate())

-- This one resets the ackowledgment flag (sets to not ackowledged) on all detection events for the last 24 hours

update CSPEVENT

set EVENT_REMEDIATED='0'

where EVENT_TYPE like 'D%'

and EVENT_DT between DATEADD(dd,-1,getdate()) and DATEADD(dd,0,getdate())

Operating Systems:

Comments 2 CommentsJump to latest comment

Alex_CST's picture

Thumbs up.  Good SQL statements!

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

Chuck Edson's picture

Here are the event types (from EVENT_TYPE column):

Four-letter code representing the class and type of event. The first letter
indicates general class (detection, prevention, management). The
remaining letters indicate the sub-type.

The codes are as follows:

■ DFWW (Filewatch Windows)
■ DFWU (Filewatch UNIX)
■ DRGW (Registry Watch)
■ DNTL (NT Log)
■ DSYS (Syslog)
■ DGEN (Generic Log)
■ DWTM (WTMP/BTMP)
■ DAUD (IDS Audit)
■ DUC2 (UNIX C2)
■ DIPS (IDS of IPS)
■ PNET/ANET (IPS Network)
■ PFIL/AFIL (IPS File)
■ PREG/AREG (IPS Registry)
■ PBOP/ABOP (IPS Overflow)
■ POSC/AOSC (IPS System Call)
■ PMNT/AMNT (IPS Mount)
■ PPST/APST (IPS PSET)
■ PCRE/ACRE (IPS Create)
■ PDES/ADES (IPS Destroy)
■ MERR (IDS Error)
■ MSTD (IDS Status)
■ MSTP (IPS Status)
■ MCOM (COMM Status)
■ MOVR (Agent Override)
■ MCON (Agent Config Status)
■ MSTA (Agent Status)
■ MSOF (Header)
■ MEOF (Trailer)
■ MREP (File Create)
■ MEFR (File Received)
■ MBIN (Server Error)
■ ECAT (Catalog Entry)
■ CAUD (Console Audit)

If a post helps you, please mark it as the solution to your issue.