All Apps and Add-ons

Rising column empty while setting an input Splunk DBConnect app

Builder

I am trying to setup an input in DBConnect app to ingest logs from McAfee ePO.
I have successfully created a connection to the DB. However, unable to get past the input settings.
As per the docs, that mention, If a database other than the default McAfee database is selected, the template must be updated with the actual McAfee database and schema name.
I have updated the template to change the default DB from EPOEvents --> "ePO_ABCEPO_Events"."dbo"."EPOEvents"

On the "New Inputs", I have selected the connection, catalog, schema and chose the McAfee template. But still, the rising column is not generating any column.

However, when I just choose the Table, it automatically runs the query - SELECT * FROM "ePO_ABCEPO"."dbo"."EPOEvents" and displays the table and Rising Column does display all the available columns.

Please advise how can I solve this issue. The docs arent so well documented for setting the inputs. for DBConnect 3.x.x

Labels (1)
0 Karma
1 Solution

Builder

Answering my own question here. I was able to fix the issue by doing the following,

  1. From the FROM keyword in the sql query, replaced all table names from EPOEvents --> "ePO_ABCEPO_Events"."dbo"."EPOEvents"
  2. Added this statement - AND [EPOEvents].[ReceivedUTC] > DATEADD(day, -1, GETDATE() ) at the end of the query as the query used to get timed out all the time.
  3. the default template query mentions OSServicePackVer as one of the table columns, however, it seems to have changed in new version of EPO server to OSCsdVersion, so change that part in the query. So the modified query looks like below, SELECT [EPOEvents].[ReceivedUTC] as [timestamp], [EPOEvents].[AutoID], [EPOEvents].[ThreatName] as [signature], [EPOEvents].[ThreatType] as [threattype], [EPOEvents].[ThreatEventID] as [signatureid], [EPOEvents].[ThreatCategory] as [category], [EPOEvents].[ThreatSeverity] as [severityid], [EPOEventFilterDesc].[Name] as [eventdescription], [EPOEvents].[DetectedUTC] as [detectedtimestamp], [EPOEvents].[TargetFileName] as [filename], [EPOEvents].[AnalyzerDetectionMethod] as [detectionmethod], [EPOEvents].[ThreatActionTaken] as [vendoraction], CAST([EPOEvents].[ThreatHandled] as int) as [threathandled], [EPOEvents].[TargetUserName] as [logonuser], [EPOComputerProperties].[UserName] as [user], [EPOComputerProperties].[DomainName] as [destntdomain], [EPOEvents].[TargetHostName] as [destdns], [EPOEvents].[TargetHostName] as [destnthost], [EPOComputerProperties].[IPHostName] as [fqdn], [destip] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerProperties].[IPV4x] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerProperties].[IPV4x] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerProperties].[IPV4x] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerProperties].[IPV4x] + 2147483648))),4,1))) ), [EPOComputerProperties].[SubnetMask] as [destnetmask], [EPOComputerProperties].[NetAddress] as [destmac], [EPOComputerProperties].[OSType] as [os], [EPOComputerProperties].[OSCsdVersion] as [sp], [EPOComputerProperties].[OSVersion] as [osversion], [EPOComputerProperties].[OSBuildNum] as [osbuild], [EPOComputerProperties].[TimeZone] as [timezone], [EPOEvents].[SourceHostName] as [srcdns], [srcip] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),4,1))) ), [EPOEvents].[SourceMAC] as [srcmac], [EPOEvents].[SourceProcessName] as [process], [EPOEvents].[SourceURL] as [url], [EPOEvents].[SourceUserName] as [sourcelogonuser], [EPOComputerProperties].[IsPortable] as [islaptop], [EPOEvents].[AnalyzerName] as [product], [EPOEvents].[AnalyzerVersion] as [productversion], [EPOEvents].[AnalyzerEngineVersion] as [engineversion], [EPOEvents].[AnalyzerDATVersion] as [datversion], [EPOProdPropsViewVIRUSCAN].[datver] as [vsedatversion], [EPOProdPropsViewVIRUSCAN].[enginever64] as [vseengine64version], [EPOProdPropsViewVIRUSCAN].[enginever] as [vseengineversion], [EPOProdPropsViewVIRUSCAN].[hotfix] as [vsehotfix], [EPOProdPropsViewVIRUSCAN].[productversion] as [vseproductversion], [EPOProdPropsViewVIRUSCAN].[servicepack] as [vsesp] FROM "ePOABCEPO"."dbo"."EPOEvents" LEFT JOIN "ePOABCEPO"."dbo"."EPOLeafNode" ON [EPOEvents].[AgentGUID] = [EPOLeafNode].[AgentGUID] LEFT JOIN "ePOABCEPO"."dbo"."EPOProdPropsViewVIRUSCAN" ON [EPOLeafNode].[AutoID] = [EPOProdPropsViewVIRUSCAN].[LeafNodeID] LEFT JOIN "ePOABCEPO"."dbo"."EPOComputerProperties" ON [EPOLeafNode].[AutoID] = [EPOComputerProperties].[ParentID] LEFT JOIN "ePOABCEPO"."dbo"."EPOEventFilterDesc" ON [EPOEvents].[ThreatEventID] = [EPOEventFilterDesc].[EventId] AND ([EPOEventFilterDesc].[Language]='0409') WHERE [EPOEvents].[AutoID] > ? AND [EPOEvents].[ReceivedUTC] > DATEADD(day, -1, GETDATE() ) ORDER BY [EPOEvents].[AutoID] ASC

If you choose the right, Connection, catalog, schema, select the mcafee add-on template and modify the generated sql query accordingly, the rising column should get populated automatically.

View solution in original post

Builder

Answering my own question here. I was able to fix the issue by doing the following,

  1. From the FROM keyword in the sql query, replaced all table names from EPOEvents --> "ePO_ABCEPO_Events"."dbo"."EPOEvents"
  2. Added this statement - AND [EPOEvents].[ReceivedUTC] > DATEADD(day, -1, GETDATE() ) at the end of the query as the query used to get timed out all the time.
  3. the default template query mentions OSServicePackVer as one of the table columns, however, it seems to have changed in new version of EPO server to OSCsdVersion, so change that part in the query. So the modified query looks like below, SELECT [EPOEvents].[ReceivedUTC] as [timestamp], [EPOEvents].[AutoID], [EPOEvents].[ThreatName] as [signature], [EPOEvents].[ThreatType] as [threattype], [EPOEvents].[ThreatEventID] as [signatureid], [EPOEvents].[ThreatCategory] as [category], [EPOEvents].[ThreatSeverity] as [severityid], [EPOEventFilterDesc].[Name] as [eventdescription], [EPOEvents].[DetectedUTC] as [detectedtimestamp], [EPOEvents].[TargetFileName] as [filename], [EPOEvents].[AnalyzerDetectionMethod] as [detectionmethod], [EPOEvents].[ThreatActionTaken] as [vendoraction], CAST([EPOEvents].[ThreatHandled] as int) as [threathandled], [EPOEvents].[TargetUserName] as [logonuser], [EPOComputerProperties].[UserName] as [user], [EPOComputerProperties].[DomainName] as [destntdomain], [EPOEvents].[TargetHostName] as [destdns], [EPOEvents].[TargetHostName] as [destnthost], [EPOComputerProperties].[IPHostName] as [fqdn], [destip] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerProperties].[IPV4x] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerProperties].[IPV4x] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerProperties].[IPV4x] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerProperties].[IPV4x] + 2147483648))),4,1))) ), [EPOComputerProperties].[SubnetMask] as [destnetmask], [EPOComputerProperties].[NetAddress] as [destmac], [EPOComputerProperties].[OSType] as [os], [EPOComputerProperties].[OSCsdVersion] as [sp], [EPOComputerProperties].[OSVersion] as [osversion], [EPOComputerProperties].[OSBuildNum] as [osbuild], [EPOComputerProperties].[TimeZone] as [timezone], [EPOEvents].[SourceHostName] as [srcdns], [srcip] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),4,1))) ), [EPOEvents].[SourceMAC] as [srcmac], [EPOEvents].[SourceProcessName] as [process], [EPOEvents].[SourceURL] as [url], [EPOEvents].[SourceUserName] as [sourcelogonuser], [EPOComputerProperties].[IsPortable] as [islaptop], [EPOEvents].[AnalyzerName] as [product], [EPOEvents].[AnalyzerVersion] as [productversion], [EPOEvents].[AnalyzerEngineVersion] as [engineversion], [EPOEvents].[AnalyzerDATVersion] as [datversion], [EPOProdPropsViewVIRUSCAN].[datver] as [vsedatversion], [EPOProdPropsViewVIRUSCAN].[enginever64] as [vseengine64version], [EPOProdPropsViewVIRUSCAN].[enginever] as [vseengineversion], [EPOProdPropsViewVIRUSCAN].[hotfix] as [vsehotfix], [EPOProdPropsViewVIRUSCAN].[productversion] as [vseproductversion], [EPOProdPropsViewVIRUSCAN].[servicepack] as [vsesp] FROM "ePOABCEPO"."dbo"."EPOEvents" LEFT JOIN "ePOABCEPO"."dbo"."EPOLeafNode" ON [EPOEvents].[AgentGUID] = [EPOLeafNode].[AgentGUID] LEFT JOIN "ePOABCEPO"."dbo"."EPOProdPropsViewVIRUSCAN" ON [EPOLeafNode].[AutoID] = [EPOProdPropsViewVIRUSCAN].[LeafNodeID] LEFT JOIN "ePOABCEPO"."dbo"."EPOComputerProperties" ON [EPOLeafNode].[AutoID] = [EPOComputerProperties].[ParentID] LEFT JOIN "ePOABCEPO"."dbo"."EPOEventFilterDesc" ON [EPOEvents].[ThreatEventID] = [EPOEventFilterDesc].[EventId] AND ([EPOEventFilterDesc].[Language]='0409') WHERE [EPOEvents].[AutoID] > ? AND [EPOEvents].[ReceivedUTC] > DATEADD(day, -1, GETDATE() ) ORDER BY [EPOEvents].[AutoID] ASC

If you choose the right, Connection, catalog, schema, select the mcafee add-on template and modify the generated sql query accordingly, the rising column should get populated automatically.

View solution in original post

New Member

I still having problems. Following your advice I have the following query, but it returns an error Parameter #1 has not been set.

My query is as follows:
SELECT
[EPOEventsMT].[ReceivedUTC] as [timestamp],
[EPOEventsMT].[AutoID],
[EPOEventsMT].[ThreatName] as [signature],
[EPOEventsMT].[ThreatType] as [threattype],
[EPOEventsMT].[ThreatEventID] as [signature
id],
[EPOEventsMT].[ThreatCategory] as [category],
[EPOEventsMT].[ThreatSeverity] as [severityid],
[EPOEventFilterDesc].[Name] as [event
description],
[EPOEventsMT].[DetectedUTC] as [detectedtimestamp],
[EPOEventsMT].[TargetFileName] as [file
name],
[EPOEventsMT].[AnalyzerDetectionMethod] as [detectionmethod],
[EPOEventsMT].[ThreatActionTaken] as [vendor
action],
CAST([EPOEventsMT].[ThreatHandled] as int) as [threathandled],
[EPOEventsMT].[TargetUserName] as [logon
user],
[EPOComputerPropertiesMT].[UserName] as [user],
[EPOComputerPropertiesMT].[DomainName] as [destntdomain],
[EPOEventsMT].[TargetHostName] as [destdns],
[EPOEventsMT].[TargetHostName] as [dest
nthost],
[EPOComputerPropertiesMT].[IPHostName] as [fqdn],
[dest
ip] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerPropertiesMT].[IPV4x] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerPropertiesMT].[IPV4x] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerPropertiesMT].[IPV4x] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerPropertiesMT].[IPV4x] + 2147483648))),4,1))) ),
[EPOComputerPropertiesMT].[SubnetMask] as [destnetmask],
[EPOComputerPropertiesMT].[NetAddress] as [dest
mac],
[EPOComputerPropertiesMT].[OSType] as [os],
[EPOComputerPropertiesMT].[OSCsdVersion] as [sp],
[EPOComputerPropertiesMT].[OSVersion] as [osversion],
[EPOComputerPropertiesMT].[OSBuildNum] as [os
build],
[EPOComputerPropertiesMT].[TimeZone] as [timezone],
[EPOEventsMT].[SourceHostName] as [srcdns],
[src
ip] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEventsMT].[SourceIPV4] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEventsMT].[SourceIPV4] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEventsMT].[SourceIPV4] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEventsMT].[SourceIPV4] + 2147483648))),4,1))) ),
[EPOEventsMT].[SourceMAC] as [srcmac],
[EPOEventsMT].[SourceProcessName] as [process],
[EPOEventsMT].[SourceURL] as [url],
[EPOEventsMT].[SourceUserName] as [source
logonuser],
[EPOComputerPropertiesMT].[IsPortable] as [is
laptop],
[EPOEventsMT].[AnalyzerName] as [product],
[EPOEventsMT].[AnalyzerVersion] as [productversion],
[EPOEventsMT].[AnalyzerEngineVersion] as [engine
version],
[EPOEventsMT].[AnalyzerDATVersion] as [datversion],
[EPOProdPropsView
VIRUSCAN].[datver] as [vsedatversion],
[EPOProdPropsViewVIRUSCAN].[enginever64] as [vseengine64version],
[EPOProdPropsView
VIRUSCAN].[enginever] as [vseengineversion],
[EPOProdPropsViewVIRUSCAN].[hotfix] as [vsehotfix],
[EPOProdPropsViewVIRUSCAN].[productversion] as [vseproductversion],
[EPOProdPropsView
VIRUSCAN].[servicepack] as [vsesp]
FROM "ePO
XXX-EPO-BOS-P01"."dbo"."EPOEventsMT"
LEFT JOIN "ePOXXX-EPO-BOS-P01"."dbo"."EPOLeafNodeMT" ON [EPOEventsMT].[AgentGUID] = [EPOLeafNodeMT].[AgentGUID]
LEFT JOIN "ePO
XXX-EPO-BOS-P01"."dbo"."EPOProdPropsViewVIRUSCAN" ON [EPOLeafNodeMT].[AutoID] = [EPOProdPropsViewVIRUSCAN].[LeafNodeID]
LEFT JOIN "ePOXXX-EPO-BOS-P01"."dbo"."EPOComputerPropertiesMT" ON [EPOLeafNodeMT].[AutoID] = [EPOComputerPropertiesMT].[ParentID]
LEFT JOIN "ePO
XXX-EPO-BOS-P01"."dbo""EPOEventFilterDesc" ON [EPOEventsMT].[ThreatEventID] = [EPOEventFilterDesc].[EventId]
AND ([EPOEventFilterDesc].[Language]='0409')
WHERE [EPOEventsMT].[AutoID] > ? AND [EPOEventsMT].[ReceivedUTC] > DATEADD(day, -1, GETDATE() )
ORDER BY [EPOEventsMT].[AutoID] ASC

0 Karma

Builder

Hi, Sorry replying almost a year later.
As I have stated the my answer, you have to choose Connection, catalog, schema on the left side.

0 Karma