5 Replies Latest reply on May 21, 2015 12:45 PM by pascalp

    Event 9000 CSV reports with metadata split into columns

      Two PowerShell scripts that do SQL queries and tidy up the data:

      QueryTop100Event9000withSplitMetadata.ps1 - List the top 100 most blocked exe/dll files

      QueryLast14DaysEvent9000withSplitMetadata.ps1 - Get every AM block (event 9000) from the last 14 days, including the machine and user - useful to locate the source executable if you want to import the cert for a Trusted Vendor rule.

      Example output from the first one:

      As well as splitting the metadata the scripts also translate c:\users\bob and c:\users\dave into %userprofile%.

      You'll need to run them as an account with db_datareader rights against your Management Center database - the AppSense 'config' account should suffice, if that hasn't been stripped of its default rights.

      If you're blocked from running PowerShell scripts use the following (no admin rights required):

      Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser

      If Group Policy still won't let you run a script then just copy and paste the code into PowerShell.exe or the ISE. Remember to modify the SQL Server and DB name at the top of the scripts.