How to create a report for the event: 1203 (on-demand scan completed)
Technical Articles ID:
KB69428
Last Modified: 2023-03-23 16:49:37 Etc/GMT
Environment
Endpoint Security (ENS) Threat Prevention 10.x
ePolicy Orchestrator (ePO) 5.x (on-premises)
Summary
There are two other conditions that can also lead to an on-demand scan that generates event 1203:
- When the on-demand scan is terminated unexpectedly
- When the on-demand scan is canceled
NOTE: When an on-demand scan is canceled, an accompanying 34855 event is generated.
There’s no pre-existing report for on-demand scan compliance. There are multiple ways to obtain event information from ePO. The following steps show an example of how to craft a custom report. In this report, compliance is shown as systems having completed an on-demand scan ( Last Scan Completed), and noncompliance is shown as systems having either Not Scanned or Scan Canceled.
To submit ideas for product improvement, see the following:
Solution
To create a Last Scan Completed report in ePO:
- Enable reporting for on-demand scan events:
- Log on to the ePO console.
- Edit the Endpoint Security Common policy and under Client Logging, Threat Prevention events to log, set the on-demand scan value to All.
- Click Menu, Configuration, Server Settings.
- Select Event Filtering and click Edit.
- Select event 1203: On-demand scan complete (Info).
- Select event 34855: On-demand scan canceled or stopped (Medium)
- Click Save.
- Create a Scan Completed and Scan Canceled tag:
- Click Menu, Systems, Tag Catalog.
- Click New Tag.
- Name the tag Scan Completed and click Next.
- On the Criteria page, click Next without specifying any criteria.
- Click Next on the Evaluation page.
- Click Save.
- Click New Tag.
- Name the tag Scan Canceled and click Next.
- On the Criteria page, click Next without specifying any criteria.
- Click Next on the Evaluation page.
- Click Save.
- Create a report that pulls all systems:
- Click Menu, Reporting, Queries & Reports.
- Click New Query.
- Select System Management, Systems.
NOTE: For ePO 5.9.x, the option is Managed Systems.
- Click Next.
- On the Chart page, click Table, and then click Next.
- On the Columns page, click Next.
- On the Filter page, click Run.
- Click Save, name the report All Systems, and then click Save again.
- Create a report that pulls all 1203 events within the past seven days:
- Click Menu, Reporting, Queries & Reports.
- Click New Query.
- Select Events, Threat Events, and then click Next.
- On the Chart page, click Table, and then click Next.
- Under the Computer Properties category, add the column System Name, move the column to the far-left side, and then click Next.
- Click Event ID and set it to Equals and 1203.
- Click Event Generated Time (UTC) and set it to Is within the last and 7 days.
NOTE: You can modify if on-demand scans are run more or less frequently than 7 days.
- Click Run.
- Click Save and save the report with the name Event 1203.
- Click Save again.
- Create a report that pulls all 34855 (ENS) events within the past seven days:
- Click Menu, Reporting, Queries & Reports.
- Click New Query.
- Select Events, Threat Events, and then click Next.
- On the Chart page, click Table, and then click Next.
- Under the Computer Properties category, add the column System Name, move the column to the far-left side, and click Next.
- Under the Threat Events category, click Event ID, and set it to Equals and 34855 (ENS).
- Click Event Generated Time (UTC) and set it to Is within the last and 7 days.
NOTE: You can modify if on-demand scans are run more or less frequently than seven days.
- Click Run.
- Click Save and save the report with the name Event 34855.
- Click Save again.
- Create a server task that applies the Scan Completed tag:
- Click Menu, Automation, Server Tasks.
- Click New Task.
- Name the task Apply Scan Completed Tag and click Next.
- On the Actions page for the first Action, select the following:
- Run Query
- All Systems
- Clear Tag
- Scan Completed
- Click the plus (+) option next to Clear Tag.
- Set the subaction to Clear Tag.
- Set the tag to Scan Canceled.
- Click the plus (+) option next to Run Query.
- On the newly added second Action, select the following:
- Run Query
- Event 1203
- Apply Tag
- Scan Completed
- Click the plus (+) option next to Run Query.
- On the newly added third Action, select the following:
- Run Query
- Event 34855
- Apply Tag
- Scan Canceled
- Click Next.
- Set the task to run Weekly, at any time during the week, and then click Next.
- Click Save.
- Create a report that shows the systems that have completed the last on-demand scan:
- Click Menu, Reporting, Queries & Reports.
- Click New Query.
- Select System Management, Managed Systems, and then click Next.
- On the Chart page, click Boolean Pie Chart, Configure Criteria.
- Under the Managed Systems category, add the property Tags, set Comparison to Has tag and Value to Scan Completed.
- To add an 'and/' line, click the plus (+),
- Set Comparison to Doesn’t have tag and Value to Scan Canceled.
- Click OK.
- Set the Label for matching slice to Last Scan Completed.
- Set the Label for non-matching slice to Not Scanned/Scan Canceled.
- Click Next.
- Add the following columns and any other columns, and click Next:
- Click Save and save the report as Last Scan Completed.
- Click Save again.
|