Data Loss Prevention

 View Only

  • 1.  Scheduling automated agent status report for DLP

    Posted Dec 13, 2018 10:28 AM

    Hi,

    Our DLP setup mainly consists of two roles that we're currently using, System Admins who set everything up and do the backend management of the Enforce server, and Investigators who review incidents and mark them appropriately.

    I've been asked if we can set up a weekly or daily report that shows all endpoint agents with a status of Critical or Warning, so our Investigators can check these machines and make sure they're still online and have a functioning DLP agent.

    Only SysAdmins currently have access to the System tab, so only we can check the status of agents. Investigators don't have access to this, and the only way I can find to give them this is to grant the role the user privileges for Agent Management, however this also gives them the ability to delete agents, change their detection servers and agent group, plus shutdown/restart the agent. This is a bit more control than we'd like to give these users.

    I've managed to create a shared report which does this, and I'd like to have this run weekly and email to a distribution list. However I can't seem to find any way to schedule this, the Schedule button is grayed out, so I can only Edit or Delete the report.

    My only options at the moment seem to be to manually run the report and export it myself, or delegate Agent Management priveleges. Does anyone know a way I can resolve this?

    Cheers



  • 2.  RE: Scheduling automated agent status report for DLP

    Posted Jan 05, 2019 08:02 PM

    You probably won't be able to use the console to get exactly what you're looking for, but you can use these scripts, combined with some type of automation, to get what you're looking for. Spool the Oracle output to a file, and then use an automation tool like Powershell to ship the file off to an email inbox using something like Send-MailMessage. Good luck!

     

     

    --This query gets you the agents with status--

     

    COLUMN AGENTNAME FORMAT A20
    COLUMN STATUS FORMAT A5
    set pagesize 20000
    set linesize 150
    set colsep ,
    spool CriticalAndWarningAgentList.txt
    select 
    agentname,
    CASE status 
        when 1 then 'OK'
        when 2 then 'Warning'
        when 3 then 'Critical'
        END
    from AGENT
    where agent.status!=1
    and ISDELETED=0
    ORDER BY STATUS DESC

    spool off

     


    --This query gets to counts of agents status summarized by status--

    spool CriticalAndWarningAgentListSummary.txt
    select 
    CASE status 
        when 1 then 'OK'
        when 2 then 'Warning'
        when 3 then 'Critical'
        END STATUS,
    COUNT(agentname) NUMBER_OF_AGENTS
    from AGENT
    where agent.status!=1
    and ISDELETED=0
    GROUP BY status
    ORDER BY STATUS DESC; 
    spool off 

        



  • 3.  RE: Scheduling automated agent status report for DLP

    Posted Jan 11, 2019 11:21 AM

    Thanks for the response! I'll have a look into that and see what can be done.



  • 4.  RE: Scheduling automated agent status report for DLP

    Trusted Advisor
    Posted Jan 15, 2019 03:06 PM

    GMCE87,

     

    This is a common problem that people have, the easiet way unfortunatley is to run a SQL script thatyou can setup as a batch job to run against the DB.

    Here are a few SQL scripts that will output a fe different reports directly from the DB.

    1. Agent List with Logged in User
    2. Agent List with Logged in User and Domain
    3. Agent List with With Status and Server Name

    Good Luck

    Ronak

     

    PLEASE MARKED SOLVED WHEN POSSIBLE