It is sometimes beneficial to analyze the parent processes that were responsible for creating the process which triggered the incident. Querying the parent processing activity around the time of the Incident can aid in discovering other malicious activity or depth of damage.
Each Capsule8 Alert is assigned an Incident_id representing that the Alert is part of an Incident. This incident ID should replace the
<INCIDENT ID FROM CAPSULE8 ALERT> text in the provided query.
Any parent process events from 10 minutes before to 10 minutes after
SELECT * FROM process_events LEFT JOIN (SELECT MAX(unix_nano_timestamp) AS max_incident_time, MIN(unix_nano_timestamp) AS min_incident_time, parent_process_c8id AS c8id FROM process_events WHERE incident_id='<INCIDENT ID FROM CAPSULE8 ALERT>' GROUP BY parent_process_c8id) AS incident ON process_events.process_c8id=incident.c8id WHERE process_c8id=incident.c8id AND unix_nano_timestamp < incident.max_incident_time + (10*60*1e9) AND unix_nano_timestamp > incident.min_incident_time - (10*60*1e9)
Please sign in to leave a comment.