Using Capsule8's process event data it is possible to get a list of which users logged into which hosts and when. This can help find abnormal usage patterns which may be a sign of a compromised account.
Required Tables
- process_events
- sensors
- alerts
Returned Fields
|
dt |
The datetime of the alert |
|
sensors.hostname |
The host name of the sensor |
|
process_events.username |
The user that owns the processes that triggered the alert |
Query
SELECT FROM_UNIXTIME(alerts.unix_nano_timestamp/1e9) as dt,
sensors.hostname,
process_events.username
FROM alerts
LEFT JOIN sensors ON sensors.sensor_id = alerts.sensor_id
LEFT JOIN (
SELECT
process_c8id,
username
FROM process_events
GROUP BY username, process_c8id
) as process_events ON alerts.process_c8id=process_events.process_c8id
WHERE policy_type = 'InteractiveShell'
Comments
0 comments
Please sign in to leave a comment.