Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 2556 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Computer Details show Events for users not using the device

hfs

Hi all,

Just wondering how the computer details of one device can have web events showing the user field as someone who doesn't use that device.

Example we have a laptop that only on person has ever used, but in computer details it is showing Latest Web Events and Device Control events from users other than the person acutally using that laptop.

Any help would be great.

:40049


This thread was automatically locked due to age.
Parents
  • 0

    Hello hfs,

    Would you recommend a DBPurge to clear any erroneous data?

    hm,  rather no unless you really know what you are doing - no offence meant! As you apparently didn't notice the "missing" endpoints your data is - apart from the merged clients - likely not absolutely correct anyway. The number and type of detections are correct, the number of clients (and clients with detections) as well as the events-user-computer association are not - so whatever you do, whether you keep them or purge them, the historical data are incorrect.

    Do I need to perform these tasks? ... Will that make them unique?

    Yes. I have done it (the cloning was outside my control) on running computers. Basically - using a script - I've stopped the relevant services (Message Router, Patch, Web Control), removed the registry keys and files and restarted the services. This should then cause the clients to obtain a unique ID and they will soon after appear as individual endpoints in SEC.

    Deleting the "merged" computer(s) from SEC has not much effect - likely one of the clients will be matched to the old entry (delete just "hides" the endpoint, all data is kept) and this one will retain all the accumulated data.

    Christian 

    :40117
Reply
  • 0

    Hello hfs,

    Would you recommend a DBPurge to clear any erroneous data?

    hm,  rather no unless you really know what you are doing - no offence meant! As you apparently didn't notice the "missing" endpoints your data is - apart from the merged clients - likely not absolutely correct anyway. The number and type of detections are correct, the number of clients (and clients with detections) as well as the events-user-computer association are not - so whatever you do, whether you keep them or purge them, the historical data are incorrect.

    Do I need to perform these tasks? ... Will that make them unique?

    Yes. I have done it (the cloning was outside my control) on running computers. Basically - using a script - I've stopped the relevant services (Message Router, Patch, Web Control), removed the registry keys and files and restarted the services. This should then cause the clients to obtain a unique ID and they will soon after appear as individual endpoints in SEC.

    Deleting the "merged" computer(s) from SEC has not much effect - likely one of the clients will be matched to the old entry (delete just "hides" the endpoint, all data is kept) and this one will retain all the accumulated data.

    Christian 

    :40117
Children
No Data