T1049
Required Tables
Returned Fields
| timestamp |
timestamp date value in the string format |
| path |
process event path |
| username |
username who triggered process event |
| process_c8id |
unique UUID assigned by Capsule8 to the created process |
Query
SELECT
FROM_UNIXTIME(unix_nano_timestamp/1e9),
path,
username,
process_c8id
FROM process_events
WHERE (
path LIKE '%netstat'
OR path LIKE '%ss'
OR path LIKE '%lsof'
OR path LIKE '%last'
OR path LIKE '%w'
OR path LIKE '%ngrep'
OR path LIKE '%netwatch'
OR path LIKE '%tcpdump'
OR path LIKE '%iftop'
OR path LIKE '%iptraf'
OR path LIKE '%who'
)
Comments
0 comments
Please sign in to leave a comment.