From de18bf06c3d786ca2ce03e81c1603fb851a555ca Mon Sep 17 00:00:00 2001
From: Doug Burks <doug.burks@securityonionsolutions.com>
Date: Tue, 18 Jun 2024 10:36:41 -0400
Subject: [PATCH] FEATURE: Add new Process actions #13226

---
 salt/soc/defaults.yaml | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index 7bfb4aa991..cf996a2137 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -78,6 +78,18 @@ soc:
         target: ''
         links:
           - '/#/hunt?q=(process.entity_id:"{:process.entity_id}" OR process.entity_id:"{:process.Ext.ancestry|processAncestors}") | groupby event.dataset | groupby -sankey event.dataset event.action | groupby event.action | groupby process.parent.name | groupby -sankey process.parent.name process.name | groupby process.name | groupby process.command_line | groupby host.name user.name | groupby source.ip source.port destination.ip destination.port | groupby dns.question.name | groupby dns.answers.data | groupby file.path | groupby registry.path | groupby dll.path'
+      - name: actionProcessChildInfo
+        description: actionProcessChildInfoHelp
+        icon: fa-users-line
+        target: ''
+        links:
+          - '/#/hunt?q=(process.entity_id:"{:process.entity_id}" OR process.parent.entity_id:"{:process.entity_id}") | groupby event.dataset | groupby -sankey event.dataset event.action | groupby event.action | groupby process.name | groupby process.command_line | groupby host.name user.name | groupby source.ip source.port destination.ip destination.port | groupby dns.question.name | groupby dns.answers.data | groupby file.path | groupby registry.path | groupby dll.path'
+      - name: actionProcessAllInfo
+        description: actionProcessAllInfoHelp
+        icon: fa-users-between-lines
+        target: ''
+        links:
+          - '/#/hunt?q=({:process.entity_id}) | groupby event.dataset | groupby -sankey event.dataset event.action | groupby event.action | groupby process.name | groupby process.command_line | groupby host.name user.name | groupby source.ip source.port destination.ip destination.port | groupby dns.question.name | groupby dns.answers.data | groupby file.path | groupby registry.path | groupby dll.path'
       - name: actionRelatedAlerts
         description: actionRelatedAlertsHelp
         icon: fa-bell
@@ -2314,4 +2326,4 @@ soc:
                       CommandLine|contains|windash:
                           - ' -priv'
                   condition: all of selection_*
-              level: 'high'  # info | low | medium | high | critical
\ No newline at end of file
+              level: 'high'  # info | low | medium | high | critical