Hi all,
I am testing MISP integration with a indicator match rule. In the past our team suffered a small outage of a node due to a long execution duration fulfilling the java garbage collector.
We are trying again to use this intel as it is really good.
The rule is as follows:
The last run took 15s but the average is around 20/30s. We have a cluster ingesting 1M logs/s v8.9.2 and we didn't have any rules with this duration.
The use of observer.ingress.interface.name is referring to the Public interface to filter only for these connections to non-internal.
The ASA logs per hour are around 120000 logs, and the misp logs are 700 in the period of one week with these filters.
My question, is this a normal duration time for this type of rules? Or can we improved some how?