Compare if field1 == field2 and if field2 = field3...

garciarx · ‎03-01-2019

I'm trying follow a process to see all of the child processes it created.

Essentially i have events that has the following fields:

process=bad.exe ----------| parent_pid=1111 | child_pid=2222
process=cmd.exe ----------| parent_pid=2222 | child_pid=3333
process=wmic.exe ---------| parent_pid=3333 | child_pid=4444
process=ipconfig.exe ------| parent_pid=3333 | child_pid=5555
process=powershell.exe --| parent_pid=3333 | child_pid=6666
process=custom.csproj ----| parent_pid=6666 | child_pid=7777
etc...

I'm able to match parent and child relation but nothing past that. with something like this.

index=blah 
| eval parent_pid=case(match(process,"(?i).*bad\.exe"), child) 
| eval child_pid=case(match(process,"(?i).*cmd\.exe"), parent) 
| eval pid=coalesce(parent_pid,child_pid) 
| stats values(process) as proc values(command) as cmd by hostname pid

I always want to see bad.exe spawning a cmd.exe and i want to see everything that cmd.exe spawned after that.

--> bad.exe = parent
-----> cmd.exe= child
-----> any.exe= grandchild
\\\\\|----> ifpossibly any.exe = great-grandchild

The closest i got is this, but its not quite there

| eval pid_a=case(match(process,"(?i).*bad\.exe"), child) 
| eval pid_b=case(match(process,"(?i).*cmd\.exe"), parent)
| eval pid1=coalesce(pid_b,pid_a)
| eval pid_c=case(match(process,"(?i).*cmd\.exe"), pid_b)
| eval pid_d=case(match(process,"(?i).*.exe"), child)
| eval pid2=coalesce(pid_c,pid_d)
| eval grandchild=case(match(pid_d,"(?i).*"), process)

Any help will be much appreciated.

Compare if field1 == field2 and if field2 = field3 and so on. Building a process tree.

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases