FEATURE: Add new SOC action to show process ancestry #12345

Security-Onion-Solutions · Feb 13, 2024 · 0ad39a7 · 0ad39a7
1 parent 20d2f3b
commit 0ad39a7
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
@@ -65,6 +65,12 @@ soc:
         target: _blank
         links:
           - 'https://{:sublime.url}/messages/{:sublime.message_group_id}' 
+      - name: actionProcessAncestors
+        description: actionProcessAncestorsHelp
+        icon: fa-people-roof
+        target: ''
+        links:
+          - '/#/hunt?q=(process.entity_id:"{:process.entity_id}" OR process.entity_id:"{:process.Ext.ancestry|processAncestors}") | groupby process.parent.name | groupby -sankey process.parent.name process.name | groupby process.name | groupby event.module event.dataset | table soc_timestamp event.dataset user.name process.executable process.command_line process.working_directory'
     eventFields:
       default:
         - soc_timestamp