Stolen Laptop report

system · June 12, 2008, 8:57pm

(imported topic written by rdamours91)

Just wondering what is the best way to handle an alert from BigFix for a laptop that has gone missing/stolen.

Since I have the serial number and name that report from BigFix should I generated a scheduled report with relevence that looks for a match on the serial number and a report time of anytime since it was stolen? Not exactly sure of the relevence on the date portion.

As I have a relay in the dmz the theory is that if the client ever checks in again inside/outside our network I can get an alert and track it’s ip/network and report to the proper authorities or wipe it, etc.

BenKus · June 13, 2008, 1:48am

(imported comment written by BenKus)

Hey rdamours,

You can create an email alert as a scheduled activity in web reports… The trigger would be something like:

exists bes computer whose (name of it = “” AND last report time of it > “” as time)

For instance, it might look like this:

exists bes computer whose (name of it = “INFINITEMONKEYS” AND last report time of it > “12 Jun 2008 14:52:02 -0700” as time)

Let us know if you find it after it was stolen… That would be sort of exciting

Ben

system · June 13, 2008, 12:39pm

(imported comment written by rdamours91)

Once again you da man…

I’ll start testing tomorrow and will definately keep you in the loop.

system · June 17, 2008, 8:44pm

(imported comment written by SystemAdmin)

I’m always disappointed to find the my thieves are smart enough not to place the stolen laptop on the Internet. One of these days though - I’ll get an amateur . Good luck - let us know if you get one to report back in.

Mike

system · June 28, 2010, 9:29pm

(imported comment written by SystemAdmin)

Is there a way to do the same type of search for custom properties? I’m able to find core properties ie OS, DNS name, IP Address, etc. However, I can’t do the same type of search with custom properties, ie DPB MAC Address, SerialNumber, etc.

I’ve verified that the customer properties do exist in webreports via

http://forum.bigfix.com/viewtopic.php?id=1991 using

exists results (bes property “SerialNumber”, bes computers)

This is what I tested with no luck

(names of computers of it, value of it) of results (bes property “SerialNumber”, bes computers)

BenKus · June 29, 2010, 12:15am

(imported comment written by BenKus)

That should work… It is possible that not every agent has a SerialNumber returned so it might throw an error in that case… You can make a simple change and add “s” for “value” -> “values”, which effectively will remove the error and skip the computers that don’t have a SerialNumber returned.

Ben

system · June 29, 2010, 7:21pm

(imported comment written by SystemAdmin)

Thanks Ben

“values” brings in the names of the computers, but how would I look for a specific computer name?

For example, if I where looking for a computer with the custom value SerialNumber as 1234567

exists bes property “SerialNumber”, bes computers whose (name of it = “1234567” AND last report time of it > “12 Jun 2008 14:52:02 -0700” as time)

system · June 29, 2010, 9:28pm

(imported comment written by jessewk)

Try:

names of computers of (results (bes property “SerialNumber”, bes computers)) whose (exists value whose (it = “1234567”) of it)

system · June 30, 2010, 6:54pm

(imported comment written by SystemAdmin)

Thanks Jess,

This is what I have now

exists computer of (results (bes property “SerialNumber”, bes computers)) whose (exists value whose (it = “1234567”) of it)

However, I’m having a hard time adding

AND Last Report Time of it > “12 Jun 2008 14:52:02 -0700” as time

When I check

exists computer of (results (bes property “SerialNumber”, bes computers)) whose (exists value whose (it = “1234567”) of it) AND Last Report Time of it > “12 Jun 2008 14:52:02 -0700” as time

I get the error “It” used outside of “whose” clause.

system · June 30, 2010, 9:09pm

(imported comment written by jessewk)

Try this:

exists computer whose ( last report time of it > “12 Jun 2008 14:52:02 -0700” as time) of (results (bes property “SerialNumber”, bes computers)) whose (exists value whose (it = “1234567”) of it)

system · July 1, 2010, 12:00am

(imported comment written by SystemAdmin)

Jess,

Looks like you got it. My only issue, which I can live with, is that the actual last time reported is 12 Jun 2008 14:52:02 -0700

If I use

last report time of it > “13 Jun 2008 14:52:02 -0700” as time

I get true

If I use 14 and above I get false

last report time of it > “14 Jun 2008 14:52:02 -0700” as time

Small detail because as long as it checks in anytime after the 14 it will generate a report.

Thank you so much

system · July 1, 2010, 1:20am

(imported comment written by SystemAdmin)

Never mind… Web reports shows one time while the console is showing another