AnsweredAssumed Answered

epolicy error select permission denied

Question asked by Anas Bdeir on May 22, 2017
Latest reply on May 22, 2017 by Anas Bdeir

Hi, 

 

suddenly epolicy orchestar stopped sending logs, after investigation connection available but there is (select permission dined). no changes have been set from netwitness side or Database side, 

 

error logs as the following:

 

[1]

[epolicyvirus4_5.epolicy] [processing] [epolicy] [processing] Data query failed; dataQuery: /* BEGIN SQL QUERY FOR ANTI VIRUS EVENTS */ SELECT [EPOEvents].[AutoID], [EPOEvents].[ServerID], [EPOEvents].[ReceivedUTC], [EPOEvents].[DetectedUTC], [EPOEvents].[Analyzer], [EPOEvents].[AnalyzerName], [EPOEvents].[AnalyzerVersion], [EPOEvents].[AnalyzerHostName], [AnalyzerIPV4] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[AnalyzerIPV4] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[AnalyzerIPV4] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[AnalyzerIPV4] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[AnalyzerIPV4] + 2147483648))),4,1))) ), [EPOEvents].[AnalyzerDATVersion], [EPOEvents].[AnalyzerEngineVersion], [EPOEvents].[AnalyzerDetectionMethod], [EPOEvents].[SourceHostName], [SourceIPV4] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),4,1))) ), [EPOEvents].[TargetHostName], [TargetIPV4] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[TargetIPV4] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[TargetIPV4] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[TargetIPV4] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[TargetIPV4] + 2147483648))),4,1))) ), [EPOEvents].[TargetUserName], [EPOEvents].[TargetPort], [EPOEvents].[TargetProtocol], [EPOEvents].[TargetProcessName], [EPOEvents].[TargetFileName], [EPOEvents].[ThreatCategory], [EPOEvents].[ThreatEventID], [EPOEvents].[ThreatSeverity], [EPOEvents].[ThreatName], [EPOEvents].[ThreatType], [EPOEvents].[ThreatActionTaken], [EPOEvents].[ThreatHandled] FROM EPOEvents WHERE Analyzer LIKE '%VIRUS%' /* END SQL QUERY FOR ANTI VIRUS EVENTS */ /* BEGIN TRACKING CLAUSE FOR ANTI VIRUS EVENTS */ AND ReceivedUTC > '2017-05-04 05:28:54.153' ORDER BY ReceivedUTC ASC /* END TRACKING CLAUSE FOR ANTI VIRUS EVENTS */, exception Unable to execute statement: Statement: "/* BEGIN SQL QUERY FOR ANTI VIRUS EVENTS */ SELECT [EPOEvents].[AutoID], [EPOEvents].[ServerID], [EPOEvents].[ReceivedUTC], [EPOEvents].[DetectedUTC], [EPOEvents].[Analyzer], [EPOEvents].[AnalyzerName], [EPOEvents].[AnalyzerVersion], [EPOEvents].[AnalyzerHostName], [AnalyzerIPV4] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[AnalyzerIPV4] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[AnalyzerIPV4] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[AnalyzerIPV4] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[AnalyzerIPV4] + 2147483648))),4,1))) ), [EPOEvents].[AnalyzerDATVersion], [EPOEvents].[AnalyzerEngineVersion], [EPOEvents].[AnalyzerDetectionMethod], [EPOEvents].[SourceHostName], [SourceIPV4] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),4,1))) ), [EPOEvents].[TargetHostName], [TargetIPV4] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[TargetIPV4] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[TargetIPV4] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[TargetIPV4] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[TargetIPV4] + 2147483648))),4,1))) ), [EPOEvents].[TargetUserName], [EPOEvents].[TargetPort], [EPOEvents].[TargetProtocol], [EPOEvents].[TargetProcessName], [EPOEvents].[TargetFileName], [EPOEvents].[ThreatCategory], [EPOEvents].[ThreatEventID], [EPOEvents].[ThreatSeverity], [EPOEvents].[ThreatName], [EPOEvents].[ThreatType], [EPOEvents].[ThreatActionTaken], [EPOEvents].[ThreatHandled] FROM EPOEvents WHERE Analyzer LIKE '%VIRUS%' /* END SQL QUERY FOR ANTI VIRUS EVENTS */ /* BEGIN TRACKING CLAUSE FOR ANTI VIRUS EVENTS */ AND ReceivedUTC > '2017-05-04 05:28:54.153' ORDER BY ReceivedUTC ASC /* END TRACKING CLAUSE FOR ANTI VIRUS EVENTS */"; Reason: state: 51; error-code: 139732466008293; description: [RSA][ODBC 20101 driver][Microsoft SQL Server]The SELECT permission was denied on the object 'EPOEvents', database 'ePO4_RY1EPO01', schema 'dbo'.

 

 

 

[2]

 

[epolicyvirus4_5.epolicy] [processing] [epolicy] [processing] Error finding any new events.  Reason: Unable to execute statement: Statement: "/* BEGIN SQL QUERY FOR ANTI VIRUS EVENTS */ SELECT [EPOEvents].[AutoID], [EPOEvents].[ServerID], [EPOEvents].[ReceivedUTC], [EPOEvents].[DetectedUTC], [EPOEvents].[Analyzer], [EPOEvents].[AnalyzerName], [EPOEvents].[AnalyzerVersion], [EPOEvents].[AnalyzerHostName], [AnalyzerIPV4] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[AnalyzerIPV4] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[AnalyzerIPV4] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[AnalyzerIPV4] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[AnalyzerIPV4] + 2147483648))),4,1))) ), [EPOEvents].[AnalyzerDATVersion], [EPOEvents].[AnalyzerEngineVersion], [EPOEvents].[AnalyzerDetectionMethod], [EPOEvents].[SourceHostName], [SourceIPV4] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),4,1))) ), [EPOEvents].[TargetHostName], [TargetIPV4] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[TargetIPV4] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[TargetIPV4] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[TargetIPV4] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[TargetIPV4] + 2147483648))),4,1))) ), [EPOEvents].[TargetUserName], [EPOEvents].[TargetPort], [EPOEvents].[TargetProtocol], [EPOEvents].[TargetProcessName], [EPOEvents].[TargetFileName], [EPOEvents].[ThreatCategory], [EPOEvents].[ThreatEventID], [EPOEvents].[ThreatSeverity], [EPOEvents].[ThreatName], [EPOEvents].[ThreatType], [EPOEvents].[ThreatActionTaken], [EPOEvents].[ThreatHandled] FROM EPOEvents WHERE Analyzer LIKE '%VIRUS%' /* END SQL QUERY FOR ANTI VIRUS EVENTS */ /* BEGIN TRACKING CLAUSE FOR ANTI VIRUS EVENTS */ AND ReceivedUTC > '2017-05-04 05:28:54.153' ORDER BY ReceivedUTC ASC /* END TRACKING CLAUSE FOR ANTI VIRUS EVENTS */"; Reason: state: 51; error-code: 139732466008293; description: [RSA][ODBC 20101 driver][Microsoft SQL Server]The SELECT permission was denied on the object 'EPOEvents', database 'ePO4_RY1EPO01', schema 'dbo'.

 

 

[3]

[epolicy4_5.epolicy] [processing] [epolicy] [processing] Error finding any new events.  Reason: Unable to execute statement: Statement: "/* BEGIN SQL QUERY FOR AUDIT EVENTS */ SELECT [OrionAuditLog].[AutoId], [OrionAuditLog].[UserId], [OrionAuditLog].[UserName], [OrionAuditLog].[Priority], [OrionAuditLog].[CmdName], [OrionAuditLog].[Message], [OrionAuditLog].[Success], [OrionAuditLog].[StartTime], [OrionAuditLog].[EndTime] FROM [OrionAuditLog] /* END SQL QUERY FOR AUDIT EVENTS */ /* BEGIN TRACKING CLAUSE FOR AUDIT EVENTS */ WHERE StartTime> '2017-05-04 05:34:07.837' ORDER BY StartTime ASC /* END TRACKING CLAUSE FOR AUDIT EVENTS */"; Reason: state: 51; error-code: 139732466008293; description: [RSA][ODBC 20101 driver][Microsoft SQL Server]The SELECT permission was denied on the object 'OrionAuditLog', database 'ePO4_RY1EPO01', schema 'dbo'.

 

 

[4]

[epolicy4_5.epolicy] [processing] [epolicy] [processing] Data query failed; dataQuery: /* BEGIN SQL QUERY FOR AUDIT EVENTS */ SELECT [OrionAuditLog].[AutoId], [OrionAuditLog].[UserId], [OrionAuditLog].[UserName], [OrionAuditLog].[Priority], [OrionAuditLog].[CmdName], [OrionAuditLog].[Message], [OrionAuditLog].[Success], [OrionAuditLog].[StartTime], [OrionAuditLog].[EndTime] FROM [OrionAuditLog] /* END SQL QUERY FOR AUDIT EVENTS */ /* BEGIN TRACKING CLAUSE FOR AUDIT EVENTS */ WHERE StartTime> '2017-05-04 05:34:07.837' ORDER BY StartTime ASC /* END TRACKING CLAUSE FOR AUDIT EVENTS */, exception Unable to execute statement: Statement: "/* BEGIN SQL QUERY FOR AUDIT EVENTS */ SELECT [OrionAuditLog].[AutoId], [OrionAuditLog].[UserId], [OrionAuditLog].[UserName], [OrionAuditLog].[Priority], [OrionAuditLog].[CmdName], [OrionAuditLog].[Message], [OrionAuditLog].[Success], [OrionAuditLog].[StartTime], [OrionAuditLog].[EndTime] FROM [OrionAuditLog] /* END SQL QUERY FOR AUDIT EVENTS */ /* BEGIN TRACKING CLAUSE FOR AUDIT EVENTS */ WHERE StartTime> '2017-05-04 05:34:07.837' ORDER BY StartTime ASC /* END TRACKING CLAUSE FOR AUDIT EVENTS */"; Reason: state: 51; error-code: 139732466008293; description: [RSA][ODBC 20101 driver][Microsoft SQL Server]The SELECT permission was denied on the object 'OrionAuditLog', database 'ePO4_RY1EPO01', schema 'dbo'

Outcomes