Topic
  • 2 replies
  • Latest Post - ‏2016-10-21T13:01:29Z by sorx
TobiasA
TobiasA
7 Posts

Pinned topic Expensive Custom Rules Found in CRE - But which one?

‏2015-04-09T07:48:02Z | cre custom expensive rule

I received this message today: Expensive Custom Rules Found in CRE. Apparently it already happened last week when someone was messing with our rules. I am not sure if he disabled the rule again but since we only received one event for expensive rule found, I assume that it was only enabled temporarily. However, I still would like to know which rule triggered this event. How can I find out which rule was responsible? The Event Payload only says:

 

Apr 3 17:40:57 127.0.0.1 [Timer-19] com.q1labs.semsources.cre.CRE: [WARN] [NOT:0040004101][10.10.254.244/- -] [-/- -]Expensive Custom Rules Based On Average Throughput in the last 60 seconds - Magnitude Adjustment: Destination Asset Port is Open=743.2434857512023eps

  • Nikodim
    Nikodim
    11 Posts
    ACCEPTED ANSWER

    Re: Expensive Custom Rules Found in CRE - But which one?

    ‏2015-04-09T08:17:01Z  

    You can investigate with following script:

    /opt/qradar/support/findExpensiveCustomRules.sh

  • Nikodim
    Nikodim
    11 Posts

    Re: Expensive Custom Rules Found in CRE - But which one?

    ‏2015-04-09T08:17:01Z  

    You can investigate with following script:

    /opt/qradar/support/findExpensiveCustomRules.sh

  • sorx
    sorx
    1 Post

    Re: Expensive Custom Rules Found in CRE - But which one?

    ‏2016-10-21T13:01:29Z  
    • Nikodim
    • ‏2015-04-09T08:17:01Z

    You can investigate with following script:

    /opt/qradar/support/findExpensiveCustomRules.sh

    Hi,

    We are facing some performance related issue and regularly we are receiving error notification. After running the script, what parameters needs to be check from the out put file?