It is sometimes beneficial to analyze the child processes that were created from a process that triggered an incident. Querying the children's process activity around the time of the Incident can aid in discovering other malicious activity or depth of damage.
Required Tables
- process_events
Input Fields
Each Capsule8 Alert is assigned an Incident_id representing that the Alert is part of an Incident. This incident ID should replace the <INCIDENT ID FROM CAPSULE8 ALERT> text in the provided query.
Returned Fields
|
process_events.* |
Any child process events from 10 minutes before the incident to 10 minutes after |
Query
SELECT *
FROM process_events
LEFT JOIN
(SELECT MAX(unix_nano_timestamp) AS max_incident_time,
MIN(unix_nano_timestamp) AS min_incident_time,
child_process_c8id AS c8id
FROM process_events
WHERE incident_id='<INCIDENT ID FROM CAPSULE8 ALERT>'
GROUP BY child_process_c8id) AS incident ON process_events.process_c8id=incident.c8id
WHERE process_c8id=incident.c8id
AND unix_nano_timestamp < incident.max_incident_time + (10*60*1e9)
AND unix_nano_timestamp > incident.min_incident_time - (10*60*1e9)
Comments
0 comments
Please sign in to leave a comment.