cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 3

ESM - Track unresponsive queries

Hi,

We are facing an issue where from the ESM CLI we see a couple of quires running always but there is nothing showing under running reports in UI.

Results are some even when there is no user login, we don't have any scheduled and automatic report.

For example - nquery out (below) show that there are some queries running but in UI there is nothing how we can track it ?

// Ident 9339 | 0% complete   | elapsed time     0 millisec | (Sequential scan) => SELECT ChangeTime,IPSID,IPS.Name,NewStatus,NewStatus2,OrigStatus,OrigStatus2 FROM HealthStatusChanges,IPS WHERE IPS.ID = HealthStatusChanges.IPSID AND IPSID IN ('!144131680783827200','!144131680800604416','!144131680817381632','!144138277853593856','!144138277870371072','!144138277887148288','144139377331666944','144139381374976000','144139381425307648|144139381442084864','144139381509193728|144139381928624128','144139381962178560','144139381995732992|144139382683598848','144139382717153280|144139382733930496','144139382784262144|144139382801039360','144139382868148224|144139383589568512','144139383623122944|144139383925112832','144139383958667264|144139384076107776','144139384109662208|144139384159993856') AND HealthStatusChanges.ChangeTime > '09/14/2017 15:09:45'

// Ident 67361 | 0% complete   | elapsed time 208000 millisec | (Indexed read using StringMap.Name) => SELECT Name FROM StringMap WHERE Name REGEXP '(.*(?i)(.*?.exe.*?csvde.exe).*)|(.*(?i)(.*?dump.*?lsass).*)|(.*(?i)(.*?accepteula.*?lsass).*)|(.*(?i)(.*?wmic.*?pass:).*)|(.*(?i)(.*?net use.*?/u).*)|(.*(?i)(.*?lsass.*?dmp).*)|(.*(?i)(.*?node.*?pass).*)|(.*(?i)(.*?vssadmin.*?for=c).*)|(.*(?i)(.*?wmic.*?/node).*)|(.*(?i)(.*?net use.*?/del).*)|(.*(?i)(.*?net use.*?/add).*)' LIMIT 1000000 SQLTAG 'PTYPE[3]#QNAME[D_Server Compromised]#TERM[0]#HIDE[0]

// Ident 9252 | 0% complete   | elapsed time     0 millisec | (Indexed read using Alert.IPSIDSigIDKey) => SELECT Alert.ID,Alert.IPSID,Alert.LastTime,Alert.AlertID FROM Alert WITH(INDEX('IPSIDSigIDKey')) WHERE  IPSID IN ('!144131680783827200','!144131680800604416','!144131680817381632','!144138277853593856','!144138277870371072','!144138277887148288','144120685633994752|144120685667549184','144120685667549696','144120685734658048|144120685751435264','144120685801766912|144120685818544128','144120685885652992','144120685919207424|144120685935984640','144120686003093504','144120686070202368|144120686170865664','144120686271528960','144120686305083392|144120686623850496','144120686674182144','144120686707736576|144120686741291008','144120686774845440|144120687026503680','144120687529820160','144120687563374592','144120687630483456','144120687714369536|144120687781478400','144120687848587264|144120687865364480','144120687915696128|144120688486121472','144120688519675904|144120689912184832','144120689962516480|144

// Ident 9250 | 0% complete   | elapsed time     0 millisec | (Indexed read using Alert.IPSIDSigIDKey) => SELECT Alert.ID,Alert.IPSID,Alert.LastTime,Alert.AlertID FROM Alert WITH(INDEX('IPSIDSigIDKey')) WHERE  IPSID IN ('!144131680783827200','!144131680800604416','!144131680817381632','!144138277853593856','!144138277870371072','!144138277887148288','144131681069039616','144139377331666944','144139381374976000','144139381425307648|144139381442084864','144139381509193728|144139381928624128','144139381962178560','144139381995732992|144139382683598848','144139382717153280|144139382733930496','144139382784262144|144139382801039360','144139382868148224|144139383589568512','144139383623122944|144139383925112832','144139383958667264|144139384076107776','144139384109662208|144139384159993856')   AND LastTime >= '09/14/2017 11:18:50' AND   LastTime < '09/14/2017 15:18:50'   AND DSIDSigID IN ('47|6000133','47|6000410','47|6000414') ORDER BY Alert.LastTime DESC LIMIT 10 SQLTAG 'PTYPE[5]#QNAME[P3_QFCRA_32048]#TERM[0

// Ident 9248 | 0% complete   | elapsed time     0 millisec | (Indexed read using Alert.IPSIDSigIDKey) => SELECT Alert.ID,Alert.IPSID,Alert.LastTime,Alert.AlertID FROM Alert WITH(INDEX('IPSIDSigIDKey')) WHERE  IPSID IN ('!144131680783827200','!144131680800604416','!144131680817381632','!144138277853593856','!144138277870371072','!144138277887148288','144115188075855872','144120685633994752|144120685667549184','144120685667549696','144120685734658048|144120685751435264','144120685801766912|144120685818544128','144120685885652992','144120685919207424|144120685935984640','144120686003093504','144120686070202368|144120686170865664','144120686271528960','144120686305083392|144120686623850496','144120686674182144','144120686707736576|144120686741291008','144120686774845440|144120687026503680','144120687529820160','144120687563374592','144120687630483456','144120687714369536|144120687781478400','144120687848587264|144120687865364480','144120687915696128|144120688486121472','144120688519675904|144120689912184832','1

// Ident 9246 | 0% complete   | elapsed time     0 millisec | (Indexed read using .IPSIDSigIDKey) => SELECT Alert.ID,Alert.IPSID,Alert.LastTime,Alert.AlertID FROM Alert WITH(INDEX('IPSIDSigIDKey')) WHERE  IPSID IN ('!144131680783827200','!144131680800604416','!144131680817381632','!144138277853593856','!144138277870371072','!144138277887148288','144131681069039616','144139377331666944','144139381374976000','144139381425307648|144139381442084864','144139381509193728|144139381928624128','144139381962178560','144139381995732992|144139382683598848','144139382717153280|144139382733930496','144139382784262144|144139382801039360','144139382868148224|144139383589568512','144139383623122944|144139383925112832','144139383958667264|144139384076107776','144139384109662208|144139384159993856')   AND LastTime >= '09/14/2017 11:18:50' AND   LastTime < '09/14/2017 15:18:50'   AND DSIDSigID IN ('47|6000098') ORDER BY Alert.LastTime DESC LIMIT 10 SQLTAG 'PTYPE[5]#QNAME[P3_clientname_32042]#TERM[0]#HIDE[0].

2 Replies
Dimm
Level 10
Report Inappropriate Content
Message 2 of 3

Re: ESM - Track unresponsive queries

check ESM properties -> ESM management -> Maintenance tab -> Task manager -> you may also unceck "Hide system tasks"

brenta
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 3

Re: ESM - Track unresponsive queries

Do you have a dynamic watchlist using ESM Strings to populate values?

Brent
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community