Environment
- App Control Server: All Supported Versions
- Microsoft SQL Server: All Supported Versions
Question
Is there a SQL script that can be run against the DAS database that will show what Custom Rules are being triggered most frequently to those that are not?
Answer
There is a SQL script that can be run against the DAS database that will show those rules that are most frequently used vice those are that less frequently used or not at all. Additionally, it will show a count of computers that triggered the rule. This is a good script to run when conducting rule audits, etc.
- Log in to the application server hosting the Console as the Carbon Black Service Account.
- Launch SQL Server Management Studio and after connecting to the SQL Server choose New Query.
- Choose Query > Results To > Results to Grid and execute the following query:
Use das;
GO
select
E.Rule_Name,
count( E.Event_Id ) as 'Number_Times_Triggered',
count( distinct E.Computer_Id ) as 'Count_Of_Computers_That_Triggered'
from
bit9_public.ExEvents E
where
E.Rule_Name is not null and
E.Updater_Name is null and
E.Indicator_Name is null
group by
E.Rule_Name
order by
'Number_Times_Triggered' DESC
;
- Right click the results and choose Save Results As... to export the results to a CSV file.
Additional Notes
- This query executes against the Public Views for the das database, which should not result in any locks against the live database.
- Please keep in mind this will ONLY work for rules that report back into the console. A list of rule types that DO NOT report back into the console are listed below:
- Trusted Path Rules (these fall under execution allow rules)
- File Creation Control Rules
- Performance Optimization Rules
- Execution Control > Allow Rules
Related Content