Skip to content

Child process activity around time of alert

It's sometimes beneficial to analyze the child processes that were created from a process that triggered an incident. Querying the child process activity around the time of the incident can aid in discovering other malicious activity or depth of damage.

Required Tables

  • process_events

Input Fields

Each Sophos Linux Sensor Alert is assigned an Incident_id representing that the Alert is part of an Incident. This incident ID should replace the <INCIDENT ID FROM SLS ALERT> text in the provided query.

Returned Fields

Field Description
process_events.* Any child process events from 10 minutes before the incident to 10 minutes after

Query

SELECT *
FROM process_events
LEFT JOIN 
    (SELECT MAX(unix_nano_timestamp) AS max_incident_time,
         MIN(unix_nano_timestamp) AS min_incident_time,
         child_process_uuid AS uuid
    FROM process_events
    WHERE incident_id='<INCIDENT ID FROM SLS ALERT>'
    GROUP BY  child_process_uuid) AS incident ON process_events.process_uuid=incident.uuid 
WHERE process_uuid=incident.uuid
        AND unix_nano_timestamp < incident.max_incident_time + (10*60*1e9)
        AND unix_nano_timestamp > incident.min_incident_time - (10*60*1e9)