It is sometimes beneficial to analyze processes that are not part of the same incident. Querying the processing activity around the time of the Incident can aid in discovering other malicious activity or depth of damage.
Required Tables
- process_events
Input Fields
Each Capsule8 Alert is assigned an Incident_id representing that the Alert is part of an Incident. This incident ID should replace the <INCIDENT ID FROM CAPSULE8 ALERT>
text in the provided query.
Returned Fields
process_events.* |
Full process events for 10 minutes before and after an event |
Query
SELECT *
FROM process_events
LEFT JOIN
(SELECT MAX(unix_nano_timestamp) AS max_incident_time,
MIN(unix_nano_timestamp) AS min_incident_time,
process_c8id AS c8id
FROM process_events
WHERE incident_id='<INCIDENT ID FROM CAPSULE8 ALERT>'
GROUP BY process_c8id) AS incident ON process_events.process_c8id=incident.c8id
WHERE process_c8id=incident.c8id
AND unix_nano_timestamp < incident.max_incident_time + (10*60*1e9)
AND unix_nano_timestamp > incident.min_incident_time - (10*60*1e9)
Comments
0 comments
Please sign in to leave a comment.