Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 6594 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Shh/Updater-B: selectively acknowledging FP's and errors via script?

MattAustin

Hey folks, hope y'all's week has been going well! 

We've been going about cleaning up our endpoints from last week's glitch;  the fix vbscript is working very well, and we're marking down the hostnames of the computers that have been fixed.  

I saw the script that will acknowledge ALL the shh/updater-b alerts in Enterprise Console (4.5 in our case) but what if i don't want to acknowledge all of them?  

Is there a way I can feed it a list of hostnames to acknowledge the SHH/Updater-B on?  I'd like to later run a new list of ones to work on.  

Or am I thinking about this all wrong?  if I acknowledge them all, will the still-broken ones repopulate again?  I had thought they would be ignored, since I acknowledged it.  

Any advice or help would be appreciated.  

:33187


This thread was automatically locked due to age.
Parents
  • 0

    There are a few ways to integrate a text file into a SQL command.  Import into a temp table and join on that, probably best option if you have thousands of clients.

    If you have a shorter list or happy to run multiple queries, you could put the names into a comma separated list within the SQL, e.g.


    UPDATE dbo.Threats SET Outstanding=0 WHERE ThreatName LIKE N'Shh/%' and ComputerID in (	
	SELECT ID FROM dbo.Computers WHERE Managed=1 and IDEList LIKE N'%javab-jd%' and IDEList LIKE N'%bank-fqg%' and  Name in(
	'computer1', 'computer2'	
	)
)
GO

UPDATE dbo.ComputersAndDeletedComputers SET LastThreatInstanceID = dbo.ComputerLastOutstandingThreatInstanceID( ID ) where ID in (	
	SELECT ID FROM dbo.Computers WHERE Managed=1 and IDEList LIKE N'%javab-jd%' and IDEList LIKE N'%bank-fqg%' and Name in (
	'computer1', 'computer2'	
	)
)
GO

     So in the above examples, the alerts will be cleared for computers in SEC that show up with the names computer1 and computer2 that have the fixed IDE and have had Shh/* alerts.  You might assume if they have the fixed IDE that updating is working (but as the resolve script dropped that, it might not be a good test).  Maybe also bring in an .ide name from the last 24hours as well (a quick look suggests bank-fqg.ide could be used as above).  

    So if you can convert your machine list into a comma separated list with the entries in single quotes you should be able to use that.

    Note, if you have multiple domains and therefore potentially multiple computers with the sane name, you may need to bring the domain name into the query but I would suggest this is unlikely.

    Regards,

    Jak

    :33343
Reply
  • 0

    There are a few ways to integrate a text file into a SQL command.  Import into a temp table and join on that, probably best option if you have thousands of clients.

    If you have a shorter list or happy to run multiple queries, you could put the names into a comma separated list within the SQL, e.g.


    UPDATE dbo.Threats SET Outstanding=0 WHERE ThreatName LIKE N'Shh/%' and ComputerID in (	
	SELECT ID FROM dbo.Computers WHERE Managed=1 and IDEList LIKE N'%javab-jd%' and IDEList LIKE N'%bank-fqg%' and  Name in(
	'computer1', 'computer2'	
	)
)
GO

UPDATE dbo.ComputersAndDeletedComputers SET LastThreatInstanceID = dbo.ComputerLastOutstandingThreatInstanceID( ID ) where ID in (	
	SELECT ID FROM dbo.Computers WHERE Managed=1 and IDEList LIKE N'%javab-jd%' and IDEList LIKE N'%bank-fqg%' and Name in (
	'computer1', 'computer2'	
	)
)
GO

     So in the above examples, the alerts will be cleared for computers in SEC that show up with the names computer1 and computer2 that have the fixed IDE and have had Shh/* alerts.  You might assume if they have the fixed IDE that updating is working (but as the resolve script dropped that, it might not be a good test).  Maybe also bring in an .ide name from the last 24hours as well (a quick look suggests bank-fqg.ide could be used as above).  

    So if you can convert your machine list into a comma separated list with the entries in single quotes you should be able to use that.

    Note, if you have multiple domains and therefore potentially multiple computers with the sane name, you may need to bring the domain name into the query but I would suggest this is unlikely.

    Regards,

    Jak

    :33343
Children
No Data