How to pull events for a computer device from the DAS database via hostname with a SQL Query

• App Control Server: 7.x and Higher
• SQL Server: All Supported Versions

1. Open the SQL Server Management Software (SSMS) 
2. Connect to the DAS database
3. Open a new query for the DAS database
4. Use the following query to pull the events:

select ev.ReceivedTimestamp,
        ev.Timestamp,
        ev.Severity,
        ev.Type,
        ev.Subtype,
        ev.Description,
        c.Computer as 'Source',
        ev.IP_Address,
        ev.User_Name,
        ev.File_Name,
        fc.Sha256 as 'File Hash',
        ev.Process,
        ev.Rule_Name, 
        ev.Ban_Name
from bit9_public.ExEvents ev
join bit9_public.ExComputers c on ev.Computer_Id = c.Computer_Id join bit9_public.ExFileCatalog fc on ev.File_Catalog_Id = fc.File_Catalog_Id 
where c.Computer like '%hostname%'

• To pull a specific date range, change the "where" statement to the following:

where c.Computer like '%hostname%' and (ev.ReceivedTimestamp >= dateadd(day,datediff(day,1,GETDATE()),0) and ev.ReceivedTimestamp < dateadd(day,datediff(day,0,GETDATE()),0))

• By default, the date range setting above limits events to the previous 24 hours. To adjust the timeframe, change the "1" to the number of days back you want (i.e. 30 for a month) and adjust the "0" to the most recent date you want (the current setting of 0 will set it for the date the query is run).