cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
minki
Level 9
Report Inappropriate Content
Message 1 of 3

ESM - Track unresponsive queries

Hi,

We are facing an issue where from the ESM CLI we see a couple of quires running always but there is nothing showing under running reports in UI.

Results are some even when there is no user login, we don't have any scheduled and automatic report.

For example - nquery out (below) show that there are some queries running but in UI there is nothing how we can track it ?

// Ident 9339 | 0% complete   | elapsed time     0 millisec | (Sequential scan) => SELECT ChangeTime,IPSID,IPS.Name,NewStatus,NewStatus2,OrigStatus,OrigStatus2 FROM HealthStatusChanges,IPS WHERE IPS.ID = HealthStatusChanges.IPSID AND IPSID IN ('!144131680783827200','!144131680800604416','!144131680817381632','!144138277853593856','!144138277870371072','!144138277887148288','144139377331666944','144139381374976000','144139381425307648|144139381442084864','144139381509193728|144139381928624128','144139381962178560','144139381995732992|144139382683598848','144139382717153280|144139382733930496','144139382784262144|144139382801039360','144139382868148224|144139383589568512','144139383623122944|144139383925112832','144139383958667264|144139384076107776','144139384109662208|144139384159993856') AND HealthStatusChanges.ChangeTime > '09/14/2017 15:09:45'

// Ident 67361 | 0% complete   | elapsed time 208000 millisec | (Indexed read using StringMap.Name) => SELECT Name FROM StringMap WHERE Name REGEXP '(.*(?i)(.*?.exe.*?csvde.exe).*)|(.*(?i)(.*?dump.*?lsass).*)|(.*(?i)(.*?accepteula.*?lsass).*)|(.*(?i)(.*?wmic.*?pass:).*)|(.*(?i)(.*?net use.*?/u).*)|(.*(?i)(.*?lsass.*?dmp).*)|(.*(?i)(.*?node.*?pass).*)|(.*(?i)(.*?vssadmin.*?for=c).*)|(.*(?i)(.*?wmic.*?/node).*)|(.*(?i)(.*?net use.*?/del).*)|(.*(?i)(.*?net use.*?/add).*)' LIMIT 1000000 SQLTAG 'PTYPE[3]#QNAME[D_Server Compromised]#TERM[0]#HIDE[0]

// Ident 9252 | 0% complete   | elapsed time     0 millisec | (Indexed read using Alert.IPSIDSigIDKey) => SELECT Alert.ID,Alert.IPSID,Alert.LastTime,Alert.AlertID FROM Alert WITH(INDEX('IPSIDSigIDKey')) WHERE  IPSID IN ('!144131680783827200','!144131680800604416','!144131680817381632','!144138277853593856','!144138277870371072','!144138277887148288','144120685633994752|144120685667549184','144120685667549696','144120685734658048|144120685751435264','144120685801766912|144120685818544128','144120685885652992','144120685919207424|144120685935984640','144120686003093504','144120686070202368|144120686170865664','144120686271528960','144120686305083392|144120686623850496','144120686674182144','144120686707736576|144120686741291008','144120686774845440|144120687026503680','144120687529820160','144120687563374592','144120687630483456','144120687714369536|144120687781478400','144120687848587264|144120687865364480','144120687915696128|144120688486121472','144120688519675904|144120689912184832','144120689962516480|144

// Ident 9250 | 0% complete   | elapsed time     0 millisec | (Indexed read using Alert.IPSIDSigIDKey) => SELECT Alert.ID,Alert.IPSID,Alert.LastTime,Alert.AlertID FROM Alert WITH(INDEX('IPSIDSigIDKey')) WHERE  IPSID IN ('!144131680783827200','!144131680800604416','!144131680817381632','!144138277853593856','!144138277870371072','!144138277887148288','144131681069039616','144139377331666944','144139381374976000','144139381425307648|144139381442084864','144139381509193728|144139381928624128','144139381962178560','144139381995732992|144139382683598848','144139382717153280|144139382733930496','144139382784262144|144139382801039360','144139382868148224|144139383589568512','144139383623122944|144139383925112832','144139383958667264|144139384076107776','144139384109662208|144139384159993856')   AND LastTime >= '09/14/2017 11:18:50' AND   LastTime < '09/14/2017 15:18:50'   AND DSIDSigID IN ('47|6000133','47|6000410','47|6000414') ORDER BY Alert.LastTime DESC LIMIT 10 SQLTAG 'PTYPE[5]#QNAME[P3_QFCRA_32048]#TERM[0

// Ident 9248 | 0% complete   | elapsed time     0 millisec | (Indexed read using Alert.IPSIDSigIDKey) => SELECT Alert.ID,Alert.IPSID,Alert.LastTime,Alert.AlertID FROM Alert WITH(INDEX('IPSIDSigIDKey')) WHERE  IPSID IN ('!144131680783827200','!144131680800604416','!144131680817381632','!144138277853593856','!144138277870371072','!144138277887148288','144115188075855872','144120685633994752|144120685667549184','144120685667549696','144120685734658048|144120685751435264','144120685801766912|144120685818544128','144120685885652992','144120685919207424|144120685935984640','144120686003093504','144120686070202368|144120686170865664','144120686271528960','144120686305083392|144120686623850496','144120686674182144','144120686707736576|144120686741291008','144120686774845440|144120687026503680','144120687529820160','144120687563374592','144120687630483456','144120687714369536|144120687781478400','144120687848587264|144120687865364480','144120687915696128|144120688486121472','144120688519675904|144120689912184832','1

// Ident 9246 | 0% complete   | elapsed time     0 millisec | (Indexed read using .IPSIDSigIDKey) => SELECT Alert.ID,Alert.IPSID,Alert.LastTime,Alert.AlertID FROM Alert WITH(INDEX('IPSIDSigIDKey')) WHERE  IPSID IN ('!144131680783827200','!144131680800604416','!144131680817381632','!144138277853593856','!144138277870371072','!144138277887148288','144131681069039616','144139377331666944','144139381374976000','144139381425307648|144139381442084864','144139381509193728|144139381928624128','144139381962178560','144139381995732992|144139382683598848','144139382717153280|144139382733930496','144139382784262144|144139382801039360','144139382868148224|144139383589568512','144139383623122944|144139383925112832','144139383958667264|144139384076107776','144139384109662208|144139384159993856')   AND LastTime >= '09/14/2017 11:18:50' AND   LastTime < '09/14/2017 15:18:50'   AND DSIDSigID IN ('47|6000098') ORDER BY Alert.LastTime DESC LIMIT 10 SQLTAG 'PTYPE[5]#QNAME[P3_clientname_32042]#TERM[0]#HIDE[0].

2 Replies
Dimm
Level 9
Report Inappropriate Content
Message 2 of 3

Re: ESM - Track unresponsive queries

check ESM properties -> ESM management -> Maintenance tab -> Task manager -> you may also unceck "Hide system tasks"

Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 3 of 3

Re: ESM - Track unresponsive queries

Do you have a dynamic watchlist using ESM Strings to populate values?

Brent
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community