Child process activity around time of alert
It's sometimes beneficial to analyze the child processes that were created from a process that triggered an incident. Querying the child process activity around the time of the incident can aid in discovering other malicious activity or depth of damage.
Required Tables
- process_events
Input Fields
Each Sophos Linux Sensor Alert is assigned an Incident_id representing that the Alert is part of an Incident. This incident ID should replace the <INCIDENT ID FROM SLS ALERT>
text in the provided query.
Returned Fields
Field | Description |
---|---|
process_events.* | Any child process events from 10 minutes before the incident to 10 minutes after |
Query
SELECT *
FROM process_events
LEFT JOIN
(SELECT MAX(unix_nano_timestamp) AS max_incident_time,
MIN(unix_nano_timestamp) AS min_incident_time,
child_process_uuid AS uuid
FROM process_events
WHERE incident_id='<INCIDENT ID FROM SLS ALERT>'
GROUP BY child_process_uuid) AS incident ON process_events.process_uuid=incident.uuid
WHERE process_uuid=incident.uuid
AND unix_nano_timestamp < incident.max_incident_time + (10*60*1e9)
AND unix_nano_timestamp > incident.min_incident_time - (10*60*1e9)