Endpoint Protection

So I'm playing with the Application & Device Control Policy to LOG USB writes ([AC5-1.1] Log writing to USB drives), and while the "Application and Device Control Logs: Application Control" provide good information, I'd like to go directly to the database for this information.

I have found the "sem5.dbo.BEHAVIOR_REPORT" but that only get's me some of the data I'm after, does anyone know where the data in that log is pulled from? Specifically I'm trying to correlate:

USER NAME
MACHINE  NAME
DOCUMENT NAME
SIZE OF DOCUMENT
DATE AND TIME OF TRANSFER

Again, all of this is in the LOGS on the SEPM, I'd just like to get it directly from the DB...SQL or SYBASE makes no difference to me, the query is about the same.

Thanks for your time and suggestions.

-Mike
 

Hello,

You may like to check this Thread with similar query - 

https://www.symantec.com/connect/forums/view-files-written-usb

Regards,

In the DATABASE mithun - not sepm

Thanks for pointing out that thread Mithun, it seems that the table referenced (AGENT_BEHAVIOR_LOG_2) has very little of the data I'm after.

As it turned out, the table with all the goodies I'm after is: V_AGENT_BEHAVIOR_LOG

Here is a quick SQL query for anyone after the same.

SELECT CONVERT(varchar(22),DATEADD(hour,-6,DATEADD(SECOND, EVENT_TIME / 1000, '1970-01-01 00:00:00')),22) as Time

,HOST_NAME as ComputerName

,USER_NAME as UserName

,PARAMETER as TargetDestination

,FILE_SIZE as Bytes

FROM sem12dev.dbo.V_AGENT_BEHAVIOR_LOG

WHERE USER_NAME != 'None' and USER_NAME != 'NETWORK SERVICE' and USER_NAME != 'SYSTEM' and VAPI_NAME = 'File Write'

ORDER BY Time DESC

Thanks for the reply,

-Mike