This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

XQL - Process Tree Analysis - Join Statements

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

XQL - Process Tree Analysis - Join Statements

Go to solution
AvesterFahimipour
L1 Bithead

‎02-12-2024 04:49 AM

Hello,
I am currently trying to create a five depth process tree to perform long tail analysis on it.
The query in KQL language can be found here

The moment I perform the first join statement everything breaks
Here is the almost complete code but you can just test the first join.

 


dataset = xdr_data 
| filter event_type = ENUM.PROCESS 
| fields agent_hostname , agent_id ,
action_process_image_name as InitiatingProcessG3ParentFileName,action_process_image_sha256 as InitiatingProcessG3ParentSHA256 ,action_process_os_pid as InitiatingProcessG3ParentId, action_process_image_command_line as InitiatingProcessG3ParentCommandLine ,action_process_instance_execution_time as InitiatingProcessG3ParentCreationTime, actor_process_image_name as InitiatingProcessG4ParentFileName,actor_process_image_sha256 as InitiatingProcessG4ParentSHA256,actor_process_os_pid as InitiatingProcessG4ParentId,actor_process_command_line as InitiatingProcessG4ParentCommandLine, actor_process_execution_time as InitiatingProcessG4ParentCreationTime
| join type = left (dataset = xdr_data 
| filter event_type = ENUM.PROCESS 
| fields agent_id ,action_process_image_name as InitiatingProcessG2ParentFileName,action_process_image_sha256 as InitiatingProcessG2ParentSHA256 ,
action_process_os_pid as InitiatingProcessG2ParentId, action_process_image_command_line as InitiatingProcessG2ParentCommandLine ,
action_process_instance_execution_time as InitiatingProcessG2ParentCreationTime, actor_process_image_name as InitiatingProcessG3ParentFileName,
actor_process_image_sha256 as InitiatingProcessG3ParentSHA256,actor_process_os_pid as InitiatingProcessG3ParentId,actor_process_command_line as InitiatingProcessG3ParentCommandLine,
actor_process_execution_time as InitiatingProcessG3ParentCreationTime
) as G3 G3.agent_id = agent_id and g3.InitiatingProcessG3ParentFileName = InitiatingProcessG3ParentFileName and G3.InitiatingProcessG3ParentId = InitiatingProcessG3ParentId and G3.InitiatingProcessG3ParentCreationTime = InitiatingProcessG3ParentCreationTime 
| join type = left (dataset = xdr_data 
| filter event_type = ENUM.PROCESS 
| fields agent_id ,action_process_image_name as InitiatingProcessG1ParentFileName,action_process_image_sha256 as InitiatingProcessG1ParentSHA256 ,
action_process_os_pid as InitiatingProcessG1ParentId, action_process_image_command_line as InitiatingProcessG1ParentCommandLine ,
action_process_instance_execution_time as InitiatingProcessG1ParentCreationTime, actor_process_image_name as InitiatingProcessG2ParentFileName,
actor_process_image_sha256 as InitiatingProcessG2ParentSHA256,actor_process_os_pid as InitiatingProcessG2ParentId,actor_process_command_line as InitiatingProcessG2ParentCommandLine,
actor_process_execution_time as InitiatingProcessG2ParentCreationTime
) as G2 g2.agent_id = agent_id and g2.InitiatingProcessG2ParentFileName = InitiatingProcessG2ParentFileName and g2.InitiatingProcessG2ParentId = InitiatingProcessG2ParentId and g2.InitiatingProcessG2ParentCreationTime = InitiatingProcessG2ParentCreationTime 
| join type = left (dataset = xdr_data 
| filter event_type = ENUM.PROCESS 
| fields agent_id ,action_process_image_name as InitiatingProcessParentFileName,action_process_image_sha256 as InitiatingProcessParentSHA256 ,
action_process_os_pid as InitiatingProcessParentId, action_process_image_command_line as InitiatingProcessParentCommandLine ,
action_process_instance_execution_time as InitiatingProcessParentCreationTime, actor_process_image_name as InitiatingProcessG1ParentFileName,
actor_process_image_sha256 as InitiatingProcessG1ParentSHA256,actor_process_os_pid as InitiatingProcessG1ParentId,actor_process_command_line as InitiatingProcessG1ParentCommandLine,
actor_process_execution_time as InitiatingProcessG1ParentCreationTime
) as G1 g1.agent_id = agent_id and g1.InitiatingProcessG1ParentFileName = InitiatingProcessG1ParentFileName and g1.InitiatingProcessG1ParentId = InitiatingProcessG1ParentId and g1.InitiatingProcessG1ParentCreationTime = InitiatingProcessG1ParentCreationTime 
| join type = left (dataset = xdr_data 
| filter event_type = ENUM.PROCESS
| fields agent_id ,action_process_image_name as InitiatingProcessFileName,action_process_image_sha256 as InitiatingProcessSHA256 ,
action_process_os_pid as InitiatingProcessId, action_process_image_command_line as InitiatingProcessCommandLine ,
action_process_instance_execution_time as InitiatingProcessCreationTime, actor_process_image_name as InitiatingProcessParentFileName,
actor_process_image_sha256 as InitiatingProcessParentSHA256,actor_process_os_pid as InitiatingProcessParentId,actor_process_command_line as InitiatingProcessParentCommandLine,
actor_process_execution_time as InitiatingProcessParentCreationTime
) as P p.agent_id = agent_id and p.InitiatingProcessParentFileName = InitiatingProcessParentFileName and p.InitiatingProcessParentId = InitiatingProcessParentId and InitiatingProcessParentCreationTime = InitiatingProcessParentCreationTime 
| comp count() by InitiatingProcessFileName ,InitiatingProcessParentFileName , InitiatingProcessG1ParentFileName , InitiatingProcessG2ParentFileName , InitiatingProcessG3ParentFileName , InitiatingProcessG4ParentFileName

 The above code is not complete but after testing for several hours with one single join I have now given up and came here for assistance.

What is causing the process tree to break? because I am only getting null fields.
When adding and removing the actor (G4) the behaviour completely changes and I have no explanation on why.
Based on the document it seems that left gives you the left side and the inner so leftouter by default.
"Returns all records from the parent result set, plus any records from the join result set that intersect with the parent result set."

 

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
AvesterFahimipour
L1 Bithead
In response to AvesterFahimipour

‎02-12-2024 07:01 AM

I fixed it the execution times did not match so had to remove that

View solution in original post

0 Likes Likes
2 REPLIES 2

Go to solution
AvesterFahimipour
L1 Bithead

‎02-12-2024 06:01 AM

I made further updates it seems that I have to use sub type process start and  _time for action process creation time
I still don't know why the join does not work
You can use the query below to try to fix the join if possible.

 


dataset = xdr_data 
| filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START 
| fields agent_hostname , agent_id ,
action_process_image_name as InitiatingProcessG3ParentFileName,action_process_image_sha256 as InitiatingProcessG3ParentSHA256 ,action_process_os_pid as InitiatingProcessG3ParentId, action_process_image_command_line as InitiatingProcessG3ParentCommandLine , _time as InitiatingProcessG3ParentCreationTime, actor_process_image_name as InitiatingProcessG4ParentFileName,actor_process_image_sha256 as InitiatingProcessG4ParentSHA256,actor_process_os_pid as InitiatingProcessG4ParentId,actor_process_command_line as InitiatingProcessG4ParentCommandLine, actor_process_execution_time as InitiatingProcessG4ParentCreationTime
| alter InitiatingProcessG3ParentCreationTime = to_epoch(InitiatingProcessG3ParentCreationTime, "MILLIS")
| join type = left conflict_strategy = both (dataset = xdr_data 
| filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START
| fields agent_id ,action_process_image_name as InitiatingProcessG2ParentFileName,action_process_image_sha256 as InitiatingProcessG2ParentSHA256 ,
action_process_os_pid as InitiatingProcessG2ParentId, action_process_image_command_line as InitiatingProcessG2ParentCommandLine ,
_time as InitiatingProcessG2ParentCreationTime, actor_process_image_name as InitiatingProcessG3ParentFileName,
actor_process_image_sha256 as InitiatingProcessG3ParentSHA256,actor_process_os_pid as InitiatingProcessG3ParentId,actor_process_command_line as InitiatingProcessG3ParentCommandLine,
actor_process_execution_time as InitiatingProcessG3ParentCreationTime
| alter InitiatingProcessG2ParentCreationTime = to_epoch(InitiatingProcessG2ParentCreationTime, "MILLIS")
) as G3 G3.agent_id = agent_id and G3.InitiatingProcessG3ParentFileName = InitiatingProcessG3ParentFileName and G3.InitiatingProcessG3ParentId = InitiatingProcessG3ParentId and G3.InitiatingProcessG3ParentCreationTime = InitiatingProcessG3ParentCreationTime

 

0 Likes Likes

Go to solution
AvesterFahimipour
L1 Bithead
In response to AvesterFahimipour

‎02-12-2024 07:01 AM

I fixed it the execution times did not match so had to remove that

0 Likes Likes
  • 1 accepted solution
  • 369 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks