Has anyone tried to configure DB Connect v3 to pull data from McAfee ePO v5.3.2? I leveraged the Template for McAfee:epo5 and modified to use the proper tables. Along with configuring Rising Column to use "AutoID", Checkpoint Value of 10000, and the Column of timestamp.
The query continues to hang at 80%.
The DB isn't that large, but I've tested adding WHERE [EPOEvents].[ReceivedUTC] > DATEADD(day, -1, GETDATE() ).
Same result. Thoughts?
Here is the Query I'm using.
SELECT
[EPOEvents].[ReceivedUTC] as [timestamp],
[EPOEvents].[AutoID],
[EPOEvents].[ThreatName] as [signature],
[EPOEvents].[ThreatType] as [threat_type],
[EPOEvents].[ThreatEventID] as [signature_id],
[EPOEvents].[ThreatCategory] as [category],
[EPOEvents].[ThreatSeverity] as [severity_id],
[EPOEventFilterDesc].[Name] as [event_description],
[EPOEvents].[DetectedUTC] as [detected_timestamp],
[EPOEvents].[TargetFileName] as [file_name],
[EPOEvents].[AnalyzerDetectionMethod] as [detection_method],
[EPOEvents].[ThreatActionTaken] as [vendor_action],
CAST([EPOEvents].[ThreatHandled] as int) as [threat_handled],
[EPOEvents].[TargetUserName] as [logon_user],
[EPOComputerProperties].[UserName] as [user],
[EPOComputerProperties].[DomainName] as [dest_nt_domain],
[EPOEvents].[TargetHostName] as [dest_dns],
[EPOEvents].[TargetHostName] as [dest_nt_host],
[EPOComputerProperties].[IPHostName] as [fqdn],
[dest_ip] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerProperties].[IPV4x] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerProperties].[IPV4x] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerProperties].[IPV4x] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerProperties].[IPV4x] + 2147483648))),4,1))) ),
[EPOComputerProperties].[SubnetMask] as [dest_netmask],
[EPOComputerProperties].[NetAddress] as [dest_mac],
[EPOComputerProperties].[OSType] as [os],
[EPOComputerProperties].[OSServicePackVer] as [sp],
[EPOComputerProperties].[OSVersion] as [os_version],
[EPOComputerProperties].[OSBuildNum] as [os_build],
[EPOComputerProperties].[TimeZone] as [timezone],
[EPOEvents].[SourceHostName] as [src_dns],
[src_ip] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),4,1))) ),
[EPOEvents].[SourceMAC] as [src_mac],
[EPOEvents].[SourceProcessName] as [process],
[EPOEvents].[SourceURL] as [url],
[EPOEvents].[SourceUserName] as [source_logon_user],
[EPOComputerProperties].[IsPortable] as [is_laptop],
[EPOEvents].[AnalyzerName] as [product],
[EPOEvents].[AnalyzerVersion] as [product_version],
[EPOEvents].[AnalyzerEngineVersion] as [engine_version],
[EPOEvents].[AnalyzerDATVersion] as [dat_version],
[EPOProdPropsView_THREATPREVENTION].[verDAT32Major] as [vse_dat_version],
[EPOProdPropsView_THREATPREVENTION].[verEngine32Major] as [vse_engine64_version],
[EPOProdPropsView_THREATPREVENTION].[verEngine32Minor] as [vse_engine_version],
[EPOProdPropsView_THREATPREVENTION].[productversion] as [vse_product_version]
FROM [EPOEvents]
LEFT JOIN [EPOLeafNode] ON [EPOEvents].[AgentGUID] = [EPOLeafNode].[AgentGUID]
LEFT JOIN [EPOProdPropsView_THREATPREVENTION] ON [EPOLeafNode].[AutoID] = [EPOProdPropsView_THREATPREVENTION].[LeafNodeID]
LEFT JOIN [EPOComputerProperties] ON [EPOLeafNode].[AutoID] = [EPOComputerProperties].[ParentID]
LEFT JOIN [EPOEventFilterDesc] ON [EPOEvents].[ThreatEventID] = [EPOEventFilterDesc].[EventId]
AND ([EPOEventFilterDesc].[Language]='0409')
WHERE [EPOEvents].[AutoID] > ?
ORDER BY [EPOEvents].[AutoID] ASC
... View more