Skip to content

Implement ancestor_of and descendant_of process ancestry functions #68

New issue
New issue
Open
Open
Implement ancestor_of and descendant_of process ancestry functions#68
Labels
needs: docsIndicates that the issue needs documentation updatesneeds: filtersIndicates that new filters should be addedscope: filtersAnything related to filters
@rabbitstack

Description

@rabbitstack
rabbitstack
opened on May 17, 2021

These functions would enable us to build filters that evaluate process relationships. The ancestor_of function returns the parent of the process that's executing the kernel event. For example, ancestor_of('cmd.exe') would match all events where the process that generated them is the parent of the cmd.exe process. Conversely, the descendant_of function evaluates whether the process is a child of the process that is associated with the current event. For example, descendant_of('cmd.exe') would match all events where the cmd.exe process is the parent process.

Metadata

Metadata

Assignees

No one assigned

    Labels

    needs: docsIndicates that the issue needs documentation updatesneeds: filtersIndicates that new filters should be addedscope: filtersAnything related to filters

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions