Configure Dashboard and Queries

Dashboards and queries provide various types of status information about your environment. Each product in the Complete Endpoint Protection Business suite has predefined queries that you can run individually. Often the queries cover recent events, such as detections in the last 24 hours or 7 days, or they might provide trending information over time. ePolicy Orchestrator also includes several predefined dashboards. Dashboards are comprised of multiple queries or other objects. You can also create custom dashboards and queries. By default, there are several active dashboards available for viewing. You can also create custom dashboards by using default queries or ones that you create. In the sections below, we will examine some of the default dashboards and queries, create a custom query, and create a custom dashboard.


Install Requirements
Read the introduction to ePO and deploy the McAfee Agent prior to setting up dashboards or queries.

Dashboard Overview
While there may not yet be much event data to report, this is a good opportunity to examine some of the default dashboards and understand how they are created.

  1. Click the Dashboards button on the favorites bar.
  2. From the Dashboard drop-down, choose VSE: Current Detections. This dashboard breaks down various types of detections made by VirusScan Enterprise, specifically viruses, spyware, and other unwanted programs for the last 24 hours and last 7 days. You likely don’t have any detections showing yet, but now you know where to find that data. (You can use the well known anti-virus test string EICAR.COM file from http://www.eicar.org for testing and generating immediate detections.)
  3. From the Dashboard drop-down, choose Host IPS: Signatures Triggered. Elements of this dashboard will be helpful when tuning Host IPS. It provides a breakdown of triggered signatures by severity for both workstations and servers.
  4. From the Dashboard drop-down, under Public Dashboards, choose ePO Summary.

Query Overview
In this section we will run a predefined query and view the results.

  1. Click the Queries & Reports button on the favorites bar.
  2. Expand the Shared Groups on the left. Each group contains a number of predefined queries.
  3. Highlight the VirusScan Enterprise group.
  4. Scroll down the alphabetical list of queries, locate VSE: DAT Deployment, and click Run at the far right. Assuming VirusScan has been installed and has performed its initial DAT (signature) update, you will see a pie chart. If all test systems are running the same DAT, the pie chart will display only one color. However, this is an important query to watch going forward, so you will know at a glance if all your clients are current on their virus signatures.
  5. Click Close. We will revisit this query again.

Creating a Custom Query
ePolicy Orchestrator also provides a wizard allowing you to create custom queries, which can also be used in a dashboard. In this section, you will create a more advanced query that displays both the version and patch level of VirusScan installations, broken down by servers and workstations. The resulting data will be from systems that have polled the server and reported their current status.

  1. Click the Queries & Reports button on the favorites bar.
  2. At the bottom of the page, click New.
  3. Make sure System Management is highlighted on the left, select Managed Systems under Result Types, and then click Next.
  4. Select Stacked Bar Chart on the left, under Display Results As.
  5. For Stack Labels Are, scroll down and select Product Version (VirusScan Enterprise) under VirusScan Enterprise Properties.
  6. For Bar Labels Are, scroll down and select Hotfix/Patch Version (VirusScan Enterprise) under VirusScan Enterprise Properties, and then click Next.
  7. Under Available Columns on the left, click the arrow next to IP Address under Computer Properties to add it to the column list on the right, and then click Next.
  8. On the Filter page, click Run. Your results will appear homogeneous, as all your test machines are running the same version and patch level of VirusScan. As future product patches are released, it is helpful to be able to report on any unpatched systems. This report will provide that visibility at a glance, as well as display any systems where VirusScan is not installed.
  9. Click Save.
  10. On the Save Query page, provide a name for the query, such as VSE: Version w\Patch Level.
  11. Select VirusScan Enterprise from the Existing Group drop-down, then click Save.

Your new query is now listed alphabetically in the VirusScan query group. You can run this query at any time or use it in a dashboard.

Here’s the output of this sample query, showing several systems running different versions of VirusScan. The green bars show workstations and servers running VirusScan 8.8 with no patch. The blue areas indicate workstations and servers with VirusScan 8.7 with Patch 4, while the yellow section shows three workstations running VirusScan 8.7 with only Patch 3.

Drilling down on the yellow section provides details regarding those specific systems still running VSE 8.7 with Patch 3. As mentioned, new product patches and product versions can be deployed using ePolicy Orchestrator. This sample query is provided to give you an idea of the level of detail available for reporting. Note that it is not necessary to upgrade the version of ePolicy Orchestrator in order to upgrade client versions.

Creating a Custom Dashboard
In this section you will create a new dashboard utilizing the query just created along with some other useful default queries.

  1. Click the Dashboards button on the favorites bar.
  2. Click the Dashboard Actions drop-down and choose New.
  3. Provide a name for the dashboard, such as Endpoint Status, select Public for Dashboard Visibility, and then click OK.
  4. You are then presented with a blank dashboard. Click the Add Monitor button.
  5. Use the arrows to scroll through the Monitor Gallery toolbar above and locate Queries. Drag the Queries object down on to the blank dashboard.
  6. In the New Monitor box that appears, select your new query VSE: Version w\Patch Level under Shared Groups-VirusScan Enterprise, and then click OK.
  7. Repeat this process by again dragging the Queries object to a gray area either below or to the side of the first monitor. Note that the box is shaded as you drag it. It will state “Monitor will not fit here” if you attempt to place it on top of another monitor.

    Choose the query titled VSE: DAT Deployment. Note the monitors will resize themselves automatically. Repeat this process adding two additional queries: Host IPS: Desktop High Triggered Signatures and Host IPS: Desktop Medium Triggered Signatures. You can add additional monitors as desired, but note the more monitors you add, the smaller they will appear on the dashboard. Optionally, you may choose to create distinct dashboards per product showing the installation count, update status, and recent detections for VirusScan, and a similar, separate dashboard for Host IPS.

  8. Click Save in the upper right corner, and then click Close in the upper left to return to the main Dashboards page.
  9. From the Dashboard drop-down, you can now choose your VirusScan Status dashboard, listed under Private Dashboards. It is only visible under your login. By clicking the Dashboard Actions drop-down and choosing Edit, you can make your dashboard Public and, therefore, usable by other users of ePolicy Orchestrator.

Let's chat. Product questions? We're here to help.

Chat Now