Skip to content

epartington/rsa_nw_log_sccm_defender

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
sccm_odbc_typespec
sccm_odbc_typespec
 
 
sccmodbc/etc/devices/sccmodbc
sccmodbc/etc/devices/sccmodbc
 
 
README.md
README.md
 
 
sccmodbc.envision
sccmodbc.envision
 
 

Repository files navigation

Log Parser - ODBC - SCCM Defender AV logs

SCCM/SCEP no longer writes the AV logs to the event log on the SCCM server. You need to query the SQL DB

  • Deploy the typespec to the log collector service
  • /etc/netwitness/ng/logcollection/content/collection/odbc/
  • Deploy the parser to the log decoder and enable

You can upload the .envision file to the log decoder using the parser tab in >config and upload.

You will have to update the SQL in the typespec file for your SCCM instance as a view is used and that name changes with each instance installed

FROM [CM_CA1].[dbo].[v_AM_NormalizedDetectionHistory]

CM_CA1 - update on your SCCM instance

THanks to IRedden for the original work on this.

About

RSA NetWitness log parser for SCCM Defender AV Logs

Resources

Readme
Activity

Stars

3 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published