Parent process activity around time of alert
It's sometimes beneficial to analyze the parent processes that were responsible for creating the process which triggered the incident. Querying the parent processing activity around the time of the Incident can aid in discovering other malicious activity or depth of damage.
Required Tables
- process_events
Input Fields
Each Sophos Linux Sensor Alert (SLS) is assigned an Incident_id representing that the Alert is part of an Incident. This incident ID should replace the <INCIDENT ID FROM SLS ALERT> text in the provided query.
Returned Fields
| Field | Description |
|---|---|
| process_events.* | Any parent process events from 10 minutes before the incident to 10 minutes after |
Query
SELECT *
FROM process_events
LEFT JOIN
(SELECT MAX(unix_nano_timestamp) AS max_incident_time,
MIN(unix_nano_timestamp) AS min_incident_time,
parent_process_uuid AS uuid
FROM process_events
WHERE incident_id='<INCIDENT ID FROM SLS ALERT>'
GROUP BY parent_process_uuid) AS incident ON process_events.process_uuid=incident.uuid
WHERE process_uuid=incident.uuid
AND unix_nano_timestamp < incident.max_incident_time + (10*60*1e9)
AND unix_nano_timestamp > incident.min_incident_time - (10*60*1e9)