Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 2 subscribers
  • Views 1660 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unexpected devices have been imported to SEC 550

Faisal Raza1

Hi Everyone,

 

Somehow accidentally or unintentionally the machines and the devices are imported from Active Directory to SEC 550 by one of my colleague. The additional numbers of 700+ are exceeded to SEC.

 

Looking for any script to quickly sort or manage and revert back the console to right numbers. Unfortunately there's no backup for DB. Please advise if there's any SQL script or any other script which can help me this this scenario.

 

Also if there's a way to find how and when the devise were added to SEC by which user? 

 

Thanks in well Adv.

Regards

Faisal Raza 



This thread was automatically locked due to age.
Parents
  • 0

    Hi Faisal Raza1,

    If the import from AD put these additional machines in a different group, simply select this group to change your view in Enterprise Console, press Ctrl + A to select all computers, right click and delete them.


    An alternative option is to back up the SQL database and run this SQL query, modifying it to the date that these computers were unintentionally imported in:

    select Name, InsertedAt from dbo.computersanddeletedcomputers where InsertedAt >= '2019-05-22'

     

    Once verified these are the computers to delete, you can run the below SQL query to delete them:

    delete from dbo.computersanddeletedcomputers where InsertedAt >= '2019-05-22'

     

    Unfortunately there is no way to find out how and who added a computer into SEC.  These actions are not logged in the audit logs: https://docs.sophos.com/esg/enterprise-console/5-5/help/en-us/PDF/sec_audit.pdf

    If there are no other options, you can delete all the computers from Sophos Enterprise Console and have all the active machines automatically repopulate once endpoints send a heartbeat back to SEC. 

  • 0 in reply to SJaramillo

    Hello SJaramillo,

     

    Thanks for your quick reply and very informative feedback on my question. So if I delete all the machines from the SEC those will automatically appear in SEC? Since I don't have Active Directory Synchronization is enabled in our environment.

    Also would highly appreciate if you please can help me in the best practice to maintain and manage the SEC and the endpoint client machines. I've several machines with different errors as Unknown or No status under Update tab or Computer Details as well.

    I will run the provided SQL query and the script once I am back to office and will update you.

     

    Thanks once again.

    Best Regards

    Faisal Raza

Reply
  • 0 in reply to SJaramillo

    Hello SJaramillo,

     

    Thanks for your quick reply and very informative feedback on my question. So if I delete all the machines from the SEC those will automatically appear in SEC? Since I don't have Active Directory Synchronization is enabled in our environment.

    Also would highly appreciate if you please can help me in the best practice to maintain and manage the SEC and the endpoint client machines. I've several machines with different errors as Unknown or No status under Update tab or Computer Details as well.

    I will run the provided SQL query and the script once I am back to office and will update you.

     

    Thanks once again.

    Best Regards

    Faisal Raza

Children
  • 0 in reply to Faisal Raza1

    Hello SJaramillo,

     

    The incident was happen almost 3 weeks before and I was on vacation. Unfortunately we don't have the backup for the DB so hopefully the provide SQL script will help me with 3 weeks older dates mentioning in the script.

    Thanks

    Regards

    Faisal  

  • 0 in reply to Faisal Raza1

    Hi Faisal Raza,

    As long as the machines with Sophos Endpoint Protection installed can reach the Enterprise Console on ports 8192 and 8194, they will automatically re-appear in SEC.

    Do you have access to the machines with errors?  If you open up the Sophos Endpoint Interface, do these machines show as up to date or failed to update?

    If this shows as failed, click "View updating log" on the bottom right and let us know what errors come up.  Please also check C:\Program Files (x86)\Sophos\Sophos Anti-Virus\, sort by date modified and verify whether or not the latest IDE files are from today.  A copy of the latest C:\ProgramData\Sophos\AutoUpdate\Logs\ALUpdate*TIMESTAMP*.log file will also be helpful.

     

    As for machines showing with No status under the Update tab, can you provide a screenshot of this for us to better understand the issue?

  • 0 in reply to SJaramillo

    Hello SJaramillo,

     

    Will the machines automatically reach to the right OU or will be appear again under Unassigned OU and I've to move them to the right OU? There are 2000+ machines in our SEC.

    Regarding the No Status of Machines under Update Tab do you want the screenshot from the SEC or from the client side?

     

    Best Regards

    Faisal Raza

     

     

  • 0 in reply to Faisal Raza1

    Hello Faisal Raza,

    The machines will automatically repopulate themselves in the OU/group they were in previously prior to being deleted.

    A screenshot from both would be helpful.

Unfiltered HTML