CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

FEATURE: Add new SOC action to show process ancestry #12345

Browse Source
This commit is contained in:
Doug Burks
2024-02-12 19:18:29 -05:00
committed by GitHub
parent 20d2f3b97e
commit 0ad39a7e32
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
salt/soc/defaults.yaml
View File

@@ -65,6 +65,12 @@ soc:
target: _blank
links:
- 'https://{:sublime.url}/messages/{:sublime.message_group_id}'
- name: actionProcessAncestors
description: actionProcessAncestorsHelp
icon: fa-people-roof
target: ''
links:
- '/#/hunt?q=(process.entity_id:"{:process.entity_id}" OR process.entity_id:"{:process.Ext.ancestry|processAncestors}") | groupby process.parent.name | groupby -sankey process.parent.name process.name | groupby process.name | groupby event.module event.dataset | table soc_timestamp event.dataset user.name process.executable process.command_line process.working_directory'
eventFields:
default:
- soc_timestamp