McAfee Solidcore Change Reconciliation and Ticket-based Enforcement

Transcription

1 Change Reconciliation and Ticket-based Enforcement

2 COPYRIGHT Copyright 2011 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. TRADEMARK ATTRIBUTIONS AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2

3 Contents Introducing change reconciliation and ticket-based enforcement About this guide Extension documentation Installing and configuring the integration server Installing the integration server Configuring the integration server Entering the change reconciliation license and enabling ticket-based enforcement Adding the integration server Uninstalling the integration server Using change reconciliation Prerequisites Reconciliation best practices Understanding reconciliation events Scheduling reconciliation Reviewing reconciliation logs Managing reconciliation results Reviewing authorized or reconciled events Approving unauthorized events Working with unresolved events Using queries Using ticket-based enforcement Using queries

4 Introducing change reconciliation and ticket-based enforcement McAfee Change Reconciliation creates a comprehensive list of the changes carried out on all monitored systems and correlates the events with change tickets. It maps changes in the system with respective tickets that a change management system (CMS) generates and flags ad-hoc changes. It helps in providing an evidence trail for the changes made, verifying that approved changes are deployed, and identifying unauthorized or unticketed changes. NOTE: If you are using reconciliation with Solidcore Extension (version or older) and upgrade to Solidcore Extension 5.1.2, you cannot access the older reconciliation data. Using ticket-based enforcement, you can ensure seamless system updates without any manual intervention. Once integrated with a CMS, changes to a system are permitted only when a ticket is approved in the ticketing system. This enforces the change process and prevents unapproved changes. When a ticket is approved, the required systems are put in update mode. After the changes are made, the systems are removed from update mode. Contents About this guide Extension documentation About this guide This guide describes how to implement change reconciliation and ticket-based enforcement with BMC Remedy Action Request System version 7.5 or 7.6 and epolicy Orchestrator (epo) version 4.5 or 4.6. To use this guide effectively, you must be familiar with BMC Remedy and epolicy Orchestrator. For more information, see the BMC Remedy and epolicy Orchestrator product documentation. Extension documentation To access the documentation for the Extension products, use the McAfee ServicePortal. 1 Navigate to the McAfee ServicePortal ( 2 Click Read Product Documentation under Self Service. 3 Select the Product. 4 Select a Version. 5 Select a product document. 4

5 Installing and configuring the integration server Before you can reconcile events or use ticket-based enforcement, you must install and configure the integration server. The integration server allows communication between epo and the ticketing system. To complete configuration, you must enter the required licenses, enable ticket-based enforcement (optionally), and add the integration server details to epo. Contents Installing the integration server Configuring the integration server Entering the change reconciliation license and enabling ticket-based enforcement Adding the integration server Uninstalling the integration server Installing the integration server Use this procedure to install the integration server. 1 Download the solidcoreintegrationserver.zip file from the McAfee download site. 2 Navigate to the epo server installation directory. By default, the epo server is installed in the C:\Program Files\McAfee directory on 32-bit systems and C:\Program Files (x86)\mcafee directory on 64-bit systems. 3 Unzip the zip file to install the integration server. The solidcoreintegrationserver directory is created in the installation directory. The solidcoreintegrationserver directory contains the following directories: Directory bin conf connector lib logs Description Contains the core binary files. Serves as the configuration store for the integration server. Contains the.properties file for the integration server. Contains the files for the connector. Contains the shared libraries. Stores the log files. NOTE: By default, the integration server listens for requests on port If port 1099 is being used in your setup, you can configure the integration server port. To edit the port setting, navigate to the <install directory>\solidcoreintegrationserver\conf directory and edit the value for the rmiserverport parameter in the integrationserver.properties file. 5

6 Installing and configuring the integration server Configuring the integration server 4 Open command Prompt. 5 Navigate to the <install directory>\solidcoreintegrationserver\bin directory. 6 Execute the Install-IntegrationServer.bat file. This installs the integration server. 7 Execute the Start-IntegrationServer.bat file. This starts the integration server. Configuring the integration server Preconfigured connectors are available to help you quickly configure and work with BMC Remedy versions 7.5 and 7.6. To configure the existing connector or use other change management systems, contact McAfee Support ( or +1(408) ). A McAfee representative will help you configure and fine tune the connector. Use this procedure to complete the connector configuration. 1 Open a command window. 2 Navigate to the <install dir>\solidcoreintegrationserver\bin directory. 3 Execute the testconnector.bat file to check the configuration and connection to the ticketing system. testconnector.bat <int server host> <port> <tkt host> <user ID> <password> In the syntax: int server host - Represents the host name or IP address of the integration server. port - Denotes the port on which the integration server is listening. By default, port 1099 is used. tkt host - Represents the host name or IP address of the ticketing system server. user ID - Denotes a valid user name on the ticketing system. password - Represents the password for the ticketing system user. 4 Review the IS-Server.log (in the solidcoreintegrationserver\logs directory) and reconconnector.log (in the solidcoreintegrationserver\bin directory) files and fix any errors you encounter. The IS-Server.log file contains information on the integration server and connector operations and the reconconnector.log file contains information on the testconnector.bat operations. Entering the change reconciliation license and enabling ticket-based enforcement Use this procedure to provide valid license keys for Change Control and Reconciliation and enable ticket-based enforcement. 1 Select Menu Configuration Server Settings from the 4.5 or 4.6 epo console. 2 Select Solidcore from the Settings Categories list. 3 Click Edit. The Edit Solidcore page appears. 6

7 Installing and configuring the integration server Adding the integration server 4 Enter the keys in the Change Control and Reconciliation fields. 5 Select Yes to enable ticket-based enforcement. 6 Enter the time interval (in seconds) between consecutive requests to poll the CMS. 7 Click Save. Adding the integration server Use this task to add the integration server as a registered server to the epo. 1 Select Menu Configuration Registered Servers from the 4.5 or 4.6 epo console. 2 Click New Server. 3 Select Solidcore Integration Server as the server type. 4 Enter a name for the registered server. 5 Click Next. 7

8 Installing and configuring the integration server Uninstalling the integration server The Details page appears. 6 Specify the host name and port for the integration server. 7 Enter the host name, user name, and password for the ticketing system. 8 Click Test connection. The application uses the specified details to connect to the integration server which in turn connects to the ticketing system. It also validates the user credentials and privileges for the ticketing system. 9 Click Save. Uninstalling the integration server Use this procedure to uninstall the integration server. 1 Open a command window. 2 Navigate to the <install directory>\solidcoreintegrationserver\bin directory. 3 Run the Uninstall-IntegrationServer.bat file. This uninstalls the integration server. 4 Close the command window after the file executes. 5 Delete the solidcoreintegrationserver directory. 8

9 McAfee Change Reconciliation validates changes based on the actual start time and actual end time. You can also choose to validate changes based on optional parameters, such as the identifying hostname or username. Based on the connector configuration, after reconciliation, the ticket is updated with detailed information about the change, including the hostname and name of the user who made the change. During reconciliation, a subset of the tickets in the CMS are considered. Only closed tickets with an end time value greater than the oldest unreconciled event in epo database are reconciled. You can configure the reconciliation condition and define a different reconciliation condition for each CMS. Also, during reconciliation selected Integrity Monitor, Change Control, and Application Control events are considered. Review the Understanding Reconciliation Events section for a complete list of events considered for reconciliation. Here are some features of change reconciliation: Correlates system changes with change approval and ticketing systems. Helps confirm that the approved changes have been deployed. Identifies unapproved and unticketed changes (for example, emergency and malicious changes). Groups related changes and helps in easily documenting emergency or undocumented changes. Appends reconciliation summary to the work log of the tickets in the ticketing system (if configured). The epolicy Orchestrator (epo) server works in conjunction with a CMS to provide change reconciliation. The following figure depicts the various components involved in change reconciliation. Figure 1: Components involved in change reconciliation Here is an overview of the tasks you must complete to implement and use change reconciliation: 9

10 Prerequisites 1 Install the integration server (one-time task) 2 Enter the license key in epo (one-time task) 3 Configure and test the connector (one-time task) 4 Add the integration server to epo as a registered server (one-time task) 5 Run or schedule reconciliation (as needed) 6 Manage reconciliation results and run queries in epo (as needed) Contents Prerequisites Reconciliation best practices Understanding reconciliation events Scheduling reconciliation Reviewing reconciliation logs Using queries Prerequisites Before you can configure and use change reconciliation, you must: Ensure that epo 4.5 or 4.6 is installed and running. For more information on installing epo 4.5 or 4.6, refer to the epolicy Orchestrator 4.5 Installation Guide or epolicy Orchestrator 4.6 Installation Guide, respectively. Ensure that the Solidcore Extension version is installed on the epo. Procure valid licenses for Change Control and Reconciliation. Ensure that a change management or ticketing system is installed. You can integrate the epo with BMC Remedy Action Request System version 7.5 or 7.6. To configure epo with other change management systems, contact McAfee Support ( or +1(408) ). Reconciliation best practices Consider the following to ensure optimum performance levels for the reconciliation cycle. Schedule reconciliation at regular intervals. If you do not reconcile events regularly, the backlog of reconcilable events may become unmanageable. Take into account business requirements and volume of daily events to determine the reconciliation frequency. This is important even if you do not intend to use the results in a production operation right away. Configure filtering using Integrity Monitoring policy to monitor only critical registry entries and operating system and application files. Exclude unimportant files and registry entries to reduce the number of events generated. Consider that while the quality of filtering determines the number of events captured, the content to be filtered is determined by the user. Review reconciliation results and document or dismiss the un-reconciled events at regular intervals. This helps keep the un-reconciled events to a manageable number. 10

11 Understanding reconciliation events Follow the internal workflow and processing requirements as they relate to the CMS (that is, move change management tickets to the appropriate status in a timely manner) so that the reconciliation process is able to match events to CMS tickets accurately and timely. Understanding reconciliation events During reconciliation only selected Integrity Monitor, Change Control, and Application Control events are considered. Here are the various events that are considered during reconciliation. Type Integrity Monitor Events Event List ACL_MODIFIED ACL_MODIFIED_UPDATE FILE_ATTR_CLEAR FILE_ATTR_CLEAR_UPDATE FILE_ATTR_MODIFIED FILE_ATTR_MODIFIED_UPDATE FILE_ATTR_SET FILE_ATTR_SET_UPDATE FILE_CREATED FILE_CREATED_UPDATE FILE_DELETED FILE_DELETED_UPDATE FILE_MODIFIED FILE_MODIFIED_UPDATE FILE_RENAMED FILE_RENAMED_UPDATE OWNER_MODIFIED OWNER_MODIFIED_UPDATE STREAM_CREATED STREAM_DELETED STREAM_MODIFIED STREAM_ATTR_MODIFIED STREAM_CREATED_UPDATE STREAM_DELETED_UPDATE STREAM_MODIFIED_UPDATE STREAM_ATTR_MODIFIED_UPDATE STREAM_ATTR_SET STREAM_ATTR_CLEAR STREAM_ATTR_SET_UPDATE STREAM_ATTR_CLEAR_UPDATE REG_KEY_CREATED REG_KEY_CREATED_UPDATE REG_KEY_DELETED REG_KEY_DELETED_UPDATE REG_VALUE_DELETED REG_VALUE_DELETED_UPDATE REG_VALUE_MODIFIED REG_VALUE_MODIFIED_UPDATE 11

12 Scheduling reconciliation Type Application Control Events Common Events (Integrity Monitor, Change Control, and Application Control) Event List USER_ACCOUNT_CREATED USER_ACCOUNT_DELETED USER_ACCOUNT_MODIFIED FILE_RESOLIDIFIED FILE_SOLIDIFIED FILE_UNSOLIDIFIED PKG_MODIFICATION_ALLOWED_UPDATE ACTX_ALLOW_INSTALL BEGIN_UPDATE BOOTING_DISABLED BOOTING_DISABLED_SAFEMODE COMMAND_EXECUTED DISABLED_DEFERRED ENABLED_DEFERRED UPDATE_MODE_DEFERRED END_UPDATE BOOTING_DISABLED_INTERNAL_ERROR Scheduling reconciliation Use this procedure to schedule or run reconciliation. 1 Select Menu Automation Server Tasks from the 4.5 or 4.6 epo console. 2 Click New Task. The Server Task Builder page opens. 3 Enter the task name and description, and set Schedule status to Enabled. 4 Click Next. The Actions page appears. 5 Select Solidcore: Run Reconciliation from the Actions drop-down menu and click Next. 12

13 Reviewing reconciliation logs The Schedule page appears. 6 Schedule the task as needed and click Next. The Summary page appears. 7 Review and verify the details and click Save. If you need to generate reports on reconciled data, schedule or run queries after running reconciliation. Reviewing reconciliation logs Use this procedure to review the reconciliation logs. 1 Select Menu Reporting Solidcore Reconciliation from the 4.5 or 4.6 epo console. The Reconciliation Summary page appears. 2 Select Reconciliation Cycle Logs. 13

14 Managing reconciliation results The Reconciliation Cycle Logs page appears. The page includes one entry for each executed reconciliation cycle. 3 Specify the time window for which to view reconciliation logs by selecting a value for the Filter field. You can filter and view logs for the last week, month, quarter, or year. You can also choose not to filter the results and view all available logs by selecting the All option. 4 Click an entry to review the details. 5 Click Close. Managing reconciliation results After reconciliation is complete, you can view and manage reconciliation results from epo. The results can be grouped into the following categories: Event Category Reconciled events Description Events that match corresponding tickets in the change management system. If configured during connector configuration, the work logs of the reconciled tickets are updated with the reconciliation summary, including the name of the user who made the change, configuration item and hostname that changed, and time window during which the changes were made. One event can be mapped to only one ticket, whereas; one ticket may be associated with one or more events. 14

15 Managing reconciliation results Event Category Description The following figure displays updated change summary for an existing ticket. Unauthorized events Events that cannot be matched to any tickets in the change management system. To manage unauthorized events, review the unauthorized events and dismiss the events or create tickets in the change management system to associate with the events. NOTE: If an unauthorized event is not associated with a ticket within 20 days, its status is changed to Unauthorized Permanent. Once marked Unauthorized Permanent, the event appears in the unauthorized event list but is not considered for future reconciliation cycles. You can configure the time interval (20 days) after which events are marked Unauthorized Permanent. Unresolved events Events that match multiple tickets in the change management system. To manage unresolved events, select one ticket from the list of tickets matched with unresolved events. NOTE: The reconciliation summary is not updated after you purge the existing events. Contents Reviewing authorized or reconciled events Approving unauthorized events Working with unresolved events Reviewing authorized or reconciled events Use this task to review reconciled tickets and details of events matched with the tickets. 1 Select Menu Reporting Solidcore Reconciliation from the 4.5 or 4.6 epo console. 15

16 Managing reconciliation results The Reconciliation Summary page appears. 2 Select Reconciled Tickets. 16

17 Managing reconciliation results The Reconciled Tickets summary page appears. Reconciled tickets are tickets that are associated with the appropraite events after reconciliation. The page includes one entry for each reconciled ticket. 3 Specify the time window for which to view reconciled tickets by selecting a value for the Filter field. You can filter and view reconciled tickets for the last week, month, quarter, or year. You can also choose not to filter the results and view all available tickets by selecting the All option. 4 Select View Changes for a ticket. The Reconciled Changes page displays all events matched with the ticket. 5 Click a row to review details. 6 Click Close. Approving unauthorized events Use this procedure to approve unauthorized events by creating corresponding tickets in the change management system. 17

18 Managing reconciliation results 1 Select Menu Reporting Solidcore Reconciliation from the 4.5 or 4.6 epo console. The Reconciliation Summary page appears. 2 Select Systems with Unauthorized Changes. 18

19 Managing reconciliation results All the systems with unauthorized events are listed. Also, for each system, the Unauthorized Changes field indicates the number of unauthorized changes. 3 Specify the time window for which to view the systems with unauthorized changes by selecting a value for the Filter field. You can filter and view the systems with unauthorized changes for the last week, month, quarter, or year. You can also choose not to filter the results and view all systems with unauthorized changes by selecting the All option. 4 Click the link for the number of unauthorized changes for a system. The Unauthorized Changes page lists all unauthorized events for the selected system. 5 Select one or more events and perform one of the following actions: 19

20 Managing reconciliation results Document the events To associate a ticket with the selected events: 1 Click Actions Document. The Document Changes dialog box appears. 2 Enter the ticket summary and description. 3 Click OK. A ticket is successfully created for the reconciliation records. Based on your connector configuration, a corresponding ticket may or may not be created in the ticketing system. Dismiss the events To ignore the selected events and not consider them for future reconciliation cycles: 1 Click Actions Dismiss Changes. The Dismiss Changes message appears. 2 Click Yes. 6 Click Close. Working with unresolved events Use this procedure to manage unresolved events by associating them with the appropriate tickets in the change management system. 1 Select Menu Reporting Solidcore Reconciliation from the 4.5 or 4.6 epo console. 20

21 Managing reconciliation results The Reconciliation Summary page appears. 2 Select Systems with changes matching to multiple Tickets. All the systems with unresolved events are listed. 3 Select View Changes for a system. 21

22 Using queries The Changes that match multiple Tickets page lists all unresolved events for the selected system. 4 Select one or more events. 5 Click Actions Resolve changes. The Resolve changes dialog box appears. All tickets that can be mapped to the selected events are listed. 6 Select the ticket to associate with the events. 7 Click OK. The selected events are matched with the specified ticket. Also, based on the connector configuration, the ticketing system is updated. 8 Click Close. Using queries From the epolicy Orchestrator console, you can run queries based on reconciliation data. Queries are configurable objects that retrieve and display data from the database. The results of queries are displayed in charts and tables. For more informtaion on queries, refer to Product Guide and McAfee epolicy Orchestrator Product Guide.The following reconciliation-related queries are available in epo: 22

23 Using queries Query Solidcore: Change Events grouped by Reconciliation Status in the Last 1 Month Solidcore: Change Events grouped by Reconciliation Status in the Last 7 Days Description Displays a pie chart of events that occurred in the last one month. The chart sorts events based on the reconciliation status. Reconciled changes are shown as authorized and un-reconciled events are shown as unauthorized. Displays a pie chart of events that occurred in the last seven days. The chart sorts events based on the reconciliation status. Reconciled changes are shown as authorized and un-reconciled events are shown as unauthorized. Solidcore: Reconciled Change Events grouped by Tickets in the Last 1 Month Solidcore: Reconciled Change Events grouped by Tickets in the Last 7 Days Lists change tickets against which events have been reconciled in the last one month. Lists change tickets against which events have been reconciled in the last seven days. Solidcore: Ticket Manifest Deviation (All Change Events per Object like File or Registry) Solidcore: Ticket Manifest Deviation (Only Unique Change Events per Object like File or Registry) Compares all change events for an object associated with a Production ticket with the all change events for the same object associated with a Staging ticket. For example, all file modified events for a file on the Staging server are considered and compared with all file modified events for the same file on the Production server. Compares only unique change events for an object associated with a Production ticket with all the unique change events for the same object associated with a Staging ticket. For example, multiple file modified events for a file on the Staging server are combined and considered as a single file modified event and compared to a single file modified event (multiple events are again combined) for the same file on the Production server. Use this procedure to run a query. 1 Select Menu Reporting Queries from the 4.5 or 4.6 epo console. 2 Select Solidcore in the groups list. 3 Select a query. 4 Perform on of the following tasks: Click Edit if you are running one of the Ticket Manifest Deviation queries. The Query Builder wizard appears. Click Next two times to navigate to the Filter page of the wizard. Specify the Production Server Ticket value and click Run. NOTE: If you choose to save an edited Ticket Manifest Deviation query, ensure that you save the query with a different name. Click Run to run any other report. The query results page appears. Drill down into the report and take actions on items, as needed. The reports generated for the Ticket Manifest Deviation queries organize the results into the following categories: Changes In Manifest: Lists the ticket-specific changes present on both the Production server and Staging server. Changes Not From Manifest: Lists the ticket-specific changes that are present on the Staging server but not present on the Production server. Changes Not In manifest: Lists the ticket-specific changes that are present on the Production server but not on the Staging server. 5 Click Close when finished. 23

24 Using ticket-based enforcement While McAfee Application Control prevents execution of unauthorized or new binaries on a system, Mcafee Change Control prevents modification of protected files by any unauthorized user or binary. Only when an Update window is open on a protected system can new binaries be executed and protected files modified. Ticket-based enforcement integrates McAfee Application Control and McAfee Change Control with an existing change management system. Based on tickets created in the ticketing system, Update windows are opened on the needed protected systems thus streamlining and automating the change management process. Implementing ticket-based enforcement reduces system outages and improves uptime by allowing only approved changes to be made to the systems. It helps in simplifies compliance reporting. To configure ticket-based enforcement with BMC Remedy versions 7.5 and 7.6 or other change management systems, contact McAfee Support ( or +1(408) ). After you configure ticket-based enforcement, the application periodically checks the ticketing system for: Work-in-progress tickets - For a ticket in Implementation in progress status, the one or more systems referenced in the ticket are unlocked (put into Update mode.) to allow changes to be made to the hosts. The ticket work log is updated to list all systems that are put in Update mode. Completed tickets - For a ticket in Closed status or with an elapsed scheduled end date, the one or more systems referenced in the ticket are locked (put into Enabled mode) to ensure no further changes are allowed to the systems. The ticket work log is updated to list all systems that are put in Enabled mode. NOTE: By default, the afore-mentioned tickets are considered for ticket-based enforcement. When configuring the connector, you can specify the tickets that are considered for ticket-based enforcement. 24

25 Using ticket-based enforcement Using queries The epolicy Orchestrator (epo) server works in conjunction with a CMS to provide ticket-based enforcement. The following figure depicts the various components involved in ticket-based enforcement. Figure 2: Components involved in ticket-based enforcement Here is an overview of the tasks you must complete to implement and use ticket-based enforcement: 1 Install the integration server (one-time task) 2 Enter the license key in epo (one-time task) 3 Enable ticket-based enforcement (one-time task) 4 Configure and test the connector (one-time task) 5 Add the integration server to epo as a registered server (one-time task) 6 Use ticket-based enforcement (as needed) 7 Run queries in epo (as needed) Contents Using queries Using queries From the epolicy Orchestrator console, you can run queries based on enforcement data. Queries are configurable objects that retrieve and display data from the database. The results of queries are displayed in charts and tables. The following ticket-based enforcement queries are available in epo: Query Solidcore: History of Update Windows opened by TBE Solidcore: Systems in Update Window due to TBE Description Lists all systems that were in the update window in the past due to ticket-based enforcement. Lists all systems that are currently in the update window due to ticket-based enforcement. Use this procedure to run a query. 1 Select Menu Reporting Queries from the 4.5 or 4.6 epo console. 2 Select Solidcore in the groups list. 25

26 Using ticket-based enforcement Using queries 3 Select a query. 4 Click Run. The query results page appears. Drill down into the report and take actions on items, as needed. NOTE: The data used to generate the ticket-based enforcement reports is based on the actions taken at the epo console. The reports may not reflect the current end-point status in case of any issues, such as if hosts are down or network is down or slow. 5 Click Close when finished. 26