0 Replies Latest reply on Sep 27, 2017 1:57 AM by minki

    ESM - Track unresponsive queries

    minki

      Hi,

       

      We are facing an issue where from the ESM CLI we see a couple of quires running always but there is nothing showing under running reports in UI.

      Results are some even when there is no user login, we don't have any scheduled and automatic report.

       

      For example - nquery out (below) show that there are some queries running but in UI there is nothing how we can track it ?

      // Ident 9339 | 0% complete   | elapsed time     0 millisec | (Sequential scan) => SELECT ChangeTime,IPSID,IPS.Name,NewStatus,NewStatus2,OrigStatus,OrigStatus2 FROM HealthStatusChanges,IPS WHERE IPS.ID = HealthStatusChanges.IPSID AND IPSID IN ('!144131680783827200','!144131680800604416','!144131680817381632','!1441382778 53593856','!144138277870371072','!144138277887148288','144139377331666944','1441 39381374976000','144139381425307648|144139381442084864','144139381509193728|1441 39381928624128','144139381962178560','144139381995732992|144139382683598848','14 4139382717153280|144139382733930496','144139382784262144|144139382801039360','14 4139382868148224|144139383589568512','144139383623122944|144139383925112832','14 4139383958667264|144139384076107776','144139384109662208|144139384159993856') AND HealthStatusChanges.ChangeTime > '09/14/2017 15:09:45'

       

      // Ident 67361 | 0% complete   | elapsed time 208000 millisec | (Indexed read using StringMap.Name) => SELECT Name FROM StringMap WHERE Name REGEXP '(.*(?i)(.*?.exe.*?csvde.exe).*)|(.*(?i)(.*?dump.*?lsass).*)|(.*(?i)(.*?accepte ula.*?lsass).*)|(.*(?i)(.*?wmic.*?pass:).*)|(.*(?i)(.*?net use.*?/u).*)|(.*(?i)(.*?lsass.*?dmp).*)|(.*(?i)(.*?node.*?pass).*)|(.*(?i)(.*?v ssadmin.*?for=c).*)|(.*(?i)(.*?wmic.*?/node).*)|(.*(?i)(.*?net use.*?/del).*)|(.*(?i)(.*?net use.*?/add).*)' LIMIT 1000000 SQLTAG 'PTYPE[3]#QNAME[D_Server Compromised]#TERM[0]#HIDE[0]

       

      // Ident 9252 | 0% complete   | elapsed time     0 millisec | (Indexed read using Alert.IPSIDSigIDKey) => SELECT Alert.ID,Alert.IPSID,Alert.LastTime,Alert.AlertID FROM Alert WITH(INDEX('IPSIDSigIDKey')) WHERE  IPSID IN ('!144131680783827200','!144131680800604416','!144131680817381632','!1441382778 53593856','!144138277870371072','!144138277887148288','144120685633994752|144120 685667549184','144120685667549696','144120685734658048|144120685751435264','1441 20685801766912|144120685818544128','144120685885652992','144120685919207424|1441 20685935984640','144120686003093504','144120686070202368|144120686170865664','14 4120686271528960','144120686305083392|144120686623850496','144120686674182144',' 144120686707736576|144120686741291008','144120686774845440|144120687026503680',' 144120687529820160','144120687563374592','144120687630483456','14412068771436953 6|144120687781478400','144120687848587264|144120687865364480','14412068791569612 8|144120688486121472','144120688519675904|144120689912184832','14412068996251648 0|144

       

      // Ident 9250 | 0% complete   | elapsed time     0 millisec | (Indexed read using Alert.IPSIDSigIDKey) => SELECT Alert.ID,Alert.IPSID,Alert.LastTime,Alert.AlertID FROM Alert WITH(INDEX('IPSIDSigIDKey')) WHERE  IPSID IN ('!144131680783827200','!144131680800604416','!144131680817381632','!1441382778 53593856','!144138277870371072','!144138277887148288','144131681069039616','1441 39377331666944','144139381374976000','144139381425307648|144139381442084864','14 4139381509193728|144139381928624128','144139381962178560','144139381995732992|14 4139382683598848','144139382717153280|144139382733930496','144139382784262144|14 4139382801039360','144139382868148224|144139383589568512','144139383623122944|14 4139383925112832','144139383958667264|144139384076107776','144139384109662208|14 4139384159993856')   AND LastTime >= '09/14/2017 11:18:50' AND   LastTime < '09/14/2017 15:18:50'   AND DSIDSigID IN ('47|6000133','47|6000410','47|6000414') ORDER BY Alert.LastTime DESC LIMIT 10 SQLTAG 'PTYPE[5]#QNAME[P3_QFCRA_32048]#TERM[0

       

      // Ident 9248 | 0% complete   | elapsed time     0 millisec | (Indexed read using Alert.IPSIDSigIDKey) => SELECT Alert.ID,Alert.IPSID,Alert.LastTime,Alert.AlertID FROM Alert WITH(INDEX('IPSIDSigIDKey')) WHERE  IPSID IN ('!144131680783827200','!144131680800604416','!144131680817381632','!1441382778 53593856','!144138277870371072','!144138277887148288','144115188075855872','1441 20685633994752|144120685667549184','144120685667549696','144120685734658048|1441 20685751435264','144120685801766912|144120685818544128','144120685885652992','14 4120685919207424|144120685935984640','144120686003093504','144120686070202368|14 4120686170865664','144120686271528960','144120686305083392|144120686623850496',' 144120686674182144','144120686707736576|144120686741291008','144120686774845440| 144120687026503680','144120687529820160','144120687563374592','14412068763048345 6','144120687714369536|144120687781478400','144120687848587264|14412068786536448 0','144120687915696128|144120688486121472','144120688519675904|14412068991218483 2','1

       

      // Ident 9246 | 0% complete   | elapsed time     0 millisec | (Indexed read using .IPSIDSigIDKey) => SELECT Alert.ID,Alert.IPSID,Alert.LastTime,Alert.AlertID FROM Alert WITH(INDEX('IPSIDSigIDKey')) WHERE  IPSID IN ('!144131680783827200','!144131680800604416','!144131680817381632','!1441382778 53593856','!144138277870371072','!144138277887148288','144131681069039616','1441 39377331666944','144139381374976000','144139381425307648|144139381442084864','14 4139381509193728|144139381928624128','144139381962178560','144139381995732992|14 4139382683598848','144139382717153280|144139382733930496','144139382784262144|14 4139382801039360','144139382868148224|144139383589568512','144139383623122944|14 4139383925112832','144139383958667264|144139384076107776','144139384109662208|14 4139384159993856')   AND LastTime >= '09/14/2017 11:18:50' AND   LastTime < '09/14/2017 15:18:50'   AND DSIDSigID IN ('47|6000098') ORDER BY Alert.LastTime DESC LIMIT 10 SQLTAG 'PTYPE[5]#QNAME[P3_clientname_32042]#TERM[0]#HIDE[0].