Skip to content

Process activity around time of incident

It's sometimes beneficial to analyze processes that are not part of the same incident. Querying the process activity around the time of an incident can aid in discovering other malicious activity or depth of damage.

Required Tables

  • process_events

Input Fields

Each Sophos Linux Sensor (SLS) Alert is assigned an Incident_id representing that the Alert is part of an incident. This incident ID should replace the <INCIDENT ID FROM SLS ALERT> text in the provided query.

Returned Fields

Field Description
process_events.* Full process events from 10 minutes before and after and event

Query

SELECT *
FROM process_events
LEFT JOIN 
    (SELECT MAX(unix_nano_timestamp) AS max_incident_time,
         MIN(unix_nano_timestamp) AS min_incident_time,
         process_uuid AS id
    FROM process_events
    WHERE incident_id='<INCIDENT ID FROM SLS ALERT>'
    GROUP BY  process_uuid) AS incident ON process_events.process_uuid=incident.id 
WHERE process_uuid=incident.id
        AND unix_nano_timestamp < incident.max_incident_time + (10*60*1e9)
        AND unix_nano_timestamp > incident.min_incident_time - (10*60*1e9)