laurel
laurel copied to clipboard
Published
20 hours ago •
threathunters-io
threathunters-io
Generalize PARENT_INFO for context info about other processes
Process information should not only be included for SYSCALL.ppid but also for
-
OBJ_PID.opid -
SYSCALL.pid, not duplicatingexeandcomm, only including the generating messge id -
pidas part of other records
It would make sense to expand on the idea that enriched values just use the capitalized name of the original name. So, the translation of opid=1234 should just be stored in the OBJ_PID line and be translated to
"OPID": {
"exe":"/bin/bash",
"comm":"bash",
"ppid": 1201,
"id":"1663542662.123748:45232"
}
