08-14-2023 02:24 PM
Hello dear community,
I would like to have a list of processes which were not started/launched in the past XX days. I think it would be nice to know, which processes are brand new etc.
Will this work with XQL and how?
BR
Rob
08-15-2023 11:56 AM
Hi RFeyertag,
Thanks for reaching out to our live community.
We are looking into your inquiry and doing some research to provide you with the best possible response.
Could you please elaborate a bit more? What is the use case for your inquiry?
Please provide as many details as possible as there might a better approach on gathering the information you are looking for.
08-15-2023 01:40 PM
Hello @mavega,
this would help us in the part "malware flew under the radar". We also see the rare processes in the company and can investigate deeper, if we want.
Thanks for your research!
BR
Rob
08-16-2023 11:42 AM
Hi RFeyertag,
We are still looking into this one, not sure Cortex works that way, but if you have Host Insight add-on maybe you can try the below script, it might not provide the non running processes but it will show the state of them and you might be able to sort them out (script is for 30 days but you can change it):
preset = host_inventory_services | alter More_Than_30D = if((timestamp_diff(current_time(),report_timestamp ,"day")>=30) , "True", "False") | filter (More_Than_30D != """False""") | filter started = "false" | fields service_name ,report_timestamp , More_Than_30D , service_state , service_type , endpoint_name , started | dedup service_name
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
