Live Discover Query - RDP history

You can optimize the join for the Sophos_process_journal.  The information in the Registry Journal identifies the SophosPID for the process that made the registry change and the SOphosPID is the PID and the windows_filesystem time of the PID Start. What we need to do is extract that windows filetime from the SophosPID then convert it to a UNIXEPOCH for our ON clause. First we will trim off the PID: information from the Sophos PID with the use of some creative string functions We then use some math to convert the filetime to UNIXEPOCH With a valid unixepoch for the process start time we can now join the Sophos_process_journal with an ON time = 'the unix epoc' that will greatly reduce the volume of data being searched for in the join and should give you a nice performance bump. Tell me if this is doing what you intended. So a query like the one below should be faster. SELECT    srj.time,    srj.sophospid as "Sophos PID",    spj.sid,    srj.keyname "Key where deletion took place",    srj.valuename as "Value deleted",    spj.cmdline as "Program which deleted it",    u.username as "User who ran it" FROM sophos_registry_journal SRJ    LEFT JOIN sophos_process_journal SPJ ON spj.sophosPID = srj.sophosPID       /* Get the unixepoch time from the sophosPID in the Registry Table and use that to quickly find the process info */       AND spj.time = replace(srj.SophosPID, rtrim(srj.SophosPID, replace(srj.SophosPID , ':', '')), '')/10000000-11644473600     LEFT JOIN users u ON u.uuid = spj.sid WHERE srj.time > STRFTIME('%s','NOW','-24 HOURS')    AND srj.eventtype = 6    AND srj.keyname LIKE '%\SOFTWARE\Microsoft\Terminal Server Client\Default%';

You can optimize the join for the Sophos_process_journal.  The information in the Registry Journal identifies the SophosPID for the process that made the registry change and the SOphosPID is the PID and the windows_filesystem time of the PID Start. What we need to do is extract that windows filetime from the SophosPID then convert it to a UNIXEPOCH for our ON clause. First we will trim off the PID: information from the Sophos PID with the use of some creative string functions We then use some math to convert the filetime to UNIXEPOCH With a valid unixepoch for the process start time we can now join the Sophos_process_journal with an ON time = 'the unix epoc' that will greatly reduce the volume of data being searched for in the join and should give you a nice performance bump. Tell me if this is doing what you intended. So a query like the one below should be faster. SELECT    srj.time,    srj.sophospid as "Sophos PID",    spj.sid,    srj.keyname "Key where deletion took place",    srj.valuename as "Value deleted",    spj.cmdline as "Program which deleted it",    u.username as "User who ran it" FROM sophos_registry_journal SRJ    LEFT JOIN sophos_process_journal SPJ ON spj.sophosPID = srj.sophosPID       /* Get the unixepoch time from the sophosPID in the Registry Table and use that to quickly find the process info */       AND spj.time = replace(srj.SophosPID, rtrim(srj.SophosPID, replace(srj.SophosPID , ':', '')), '')/10000000-11644473600     LEFT JOIN users u ON u.uuid = spj.sid WHERE srj.time > STRFTIME('%s','NOW','-24 HOURS')    AND srj.eventtype = 6    AND srj.keyname LIKE '%\SOFTWARE\Microsoft\Terminal Server Client\Default%';