How to check Active user and Hostname of an SIEM configured device from ePO database
Last Modified: 2023-03-31 05:10:37 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
How to check Active user and Hostname of an SIEM configured device from ePO database
Technical Articles ID:
KB96398
Last Modified: 2023-03-31 05:10:37 Etc/GMT Environment
ePolicy Orchestrator (ePO) 5.10.x
SummaryWhen you perform a CU update, an SIEM device is allowed to pull events from the ePO database until the CU update is complete.
If the SIEM device starts pulling events from the ePO database and the CU update gets triggered at the same time, this can cause a conflict with the existing active session of SIEM, causing the CU update to fail.
You might see failure of the CU update, due to the load of event pulling from the ePO database to SIEM. So, it's recommended to stop this connection before performing the CU update. When it comes to SIEM, there are many vendors and each SIEM vendor uses different configurations for events collection. To overcome this situation, you can run the SQL script on ePO to check the active sessions, IP, and active user configured for SIEM from the ePO database. Perform the steps below to run the new query:
Example Output
NOTE: From the above output, you need to compare the ePO, database server, and Follow the instructions below to temporarily disable the account from the SQL Server until the CU update completes:
Affected ProductsLanguages:This article is available in the following languages: |
|