This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Profile prequery performance problems

DionStempfley
Contributor
Contributor

‎2017-01-23 02:18 PM

Is it normal to see a performance difference when using a prequery in a custom profile vs. making the query in directly investigation?  I created a custom profile and when I added a prequery it took significantly longer to load. 

 

I am looking for login sessions from our different VPN solutions and added the following prequery: (device.type = 'ciscoasa' && event.desc = 'anyconnect parent session started') || (device.type = 'firepass' && alert.id = 'account:logon-success')  || ( device.type = 'aventail' && alert.id = 'account:logon-success' ). 

 

Any thoughts?

 

/Dion

Dion Stempfley
Cybersecurity Analyst
Institute for Defense Analyses
0 Likes
2 REPLIES 2

JohnSnider
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2017-01-23 02:47 PM

First, what version are you running?  Reason I ask is that on one of the older versions, in the profile pre-query if you did not surround the entire query in parentheses ( ) it would cause spurious results and took longer to run.  So first try adding those around the pre-query.

Secondly, instead of doing that complex pre-query, place that query as an App rule on the Log Decoder and name the rule "VPN_Logins" or something like that, them set a alert for the rule to create that meta data in something like "risk.info", or if you have custom keys created already created for your own company informational rules like "<companyname.info>" then alert to that key (meaning that where the name of the rule will be written.)

 

Then you pre-query can be a simple (risk.info = 'VPN_Logins') which will run faster anyway.

0 Likes

DionStempfley
Contributor
Contributor
In response to JohnSnider

‎2017-01-23 03:07 PM

Thanks for your input. We are using 10.6.2. I put the whole query in parentheses and it made a huge difference. I will also consider the app rule as well.

Dion Stempfley
Cybersecurity Analyst
Institute for Defense Analyses
0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.