インシデント後の調査
Sophos Linux Sensor (SLS) のインシデントが生成されたら、さらに調査してインシデントのイベントのタイムラインを確認できます。このタイムラインによって、何が起こったかをより詳細にコンテキスト表示できます。
必要なテーブル
- 警告
- file_events
- process_events
- shell_commands
- connections
入力フィールド
各 SLS 警告には、インシデントの一部であることを示す incident_id が割り当てられます。提供されるクエリの <INCIDENT ID FROM SLS ALERT>
テキストは、このインシデント ID で置き換えてください。
戻りフィールド
フィールド | 説明 |
---|---|
Incident id UnixNano uuid | プロセスのインシデント ID、タイムスタンプ、および UUID |
Dsthost Dstport | イベントが接続イベントの場合の、宛先ホストおよび宛先ポート |
progrargs progname | イベントがシェルコマンドの場合の、プログラムの引数と名前 |
priority policy_type strategy | イベントが警告の場合の、警告の、優先度、ポリシーの種類、および方法 |
path container_id source_path file_event_path | イベントがファイルイベントの場合の、パス、コンテナ ID、ソースパス、およびファイルイベントのパス |
クエリ
SELECT incident,
ts,
uuid,
dsthost,
dstport,
progargs,
progname,
priority,
policy_type,
strategy,
path,
container_id,
source_path,
file_event_path
FROM
(SELECT connections.incident_id AS incident,
connections.unix_nano_timestamp AS ts,
connections.process_uuid AS uuid,
connections.dst_addr AS dsthost,
cast(connections.dst_port AS varchar) AS dstport,
'' AS progargs, '' AS progname, '' AS priority, '' AS policy_type, '' AS strategy, '' AS path, '' AS container_id, '' AS source_path, '' AS file_event_path
FROM connections
UNION ALL
SELECT shell_commands.incident_id AS incident,
shell_commands.unix_nano_timestamp AS ts,
shell_commands.process_uuid AS uuid,
'' AS dsthost, '' AS dstport, array_join(shell_commands.program_arguments, ' ') AS progargs, shell_commands.program_filename AS progname, '' AS priority, '' AS policy_type, '' AS strategy, '' AS path, '' AS container_id, '' AS source_path, '' AS file_event_path
FROM shell_commands
UNION ALL
SELECT alerts.incident_id AS incident,
alerts.unix_nano_timestamp AS ts,
alerts.process_uuid AS uuid,
'' AS dsthost, '' AS dstport, '' AS progargs, '' AS progname, alerts.priority AS priority, alerts.policy_type AS policy_type, alerts.strategy_name AS strategy, '' AS path, '' AS container_id, '' AS source_path, '' AS file_event_path
FROM alerts
UNION ALL
SELECT file_events.incident_id AS incident,
file_events.unix_nano_timestamp AS ts,
file_events.process_uuid AS uuid,
'' AS dsthost, '' AS dstport, '' AS progargs, '' AS progname, '' AS priority, '' AS policy_type, '' AS strategy, file_events.path AS path, file_events.container_id AS container_id, file_events.source_path AS source_path, cast(file_events.event_type AS varchar) AS file_event_path
FROM file_events )
WHERE uuid IN
(SELECT process_uuid
FROM process_events
WHERE incident_id = '<INCIDENT ID FROM SLS ALERT>')
ORDER BY ts ASC