Child process activity around time of alert
It's sometimes beneficial to analyze the child processes that were created from a process that triggered an incident. Querying the child process activity around the time of the incident can aid in discovering other malicious activity or depth of damage.
Each Sophos Linux Sensor Alert is assigned an Incident_id representing that the Alert is part of an Incident. This incident ID should replace the
<INCIDENT ID FROM SLS ALERT> text in the provided query.
|process_events.*||Any child process events from 10 minutes before the incident to 10 minutes after|
SELECT * FROM process_events LEFT JOIN (SELECT MAX(unix_nano_timestamp) AS max_incident_time, MIN(unix_nano_timestamp) AS min_incident_time, child_process_uuid AS uuid FROM process_events WHERE incident_id='<INCIDENT ID FROM SLS ALERT>' GROUP BY child_process_uuid) AS incident ON process_events.process_uuid=incident.uuid WHERE process_uuid=incident.uuid AND unix_nano_timestamp < incident.max_incident_time + (10*60*1e9) AND unix_nano_timestamp > incident.min_incident_time - (10*60*1e9)