osquery-defense-kit/incident_response/execution/process_events.sql

-- Recently executed programs
--
-- interval: 900
-- platform: posix
SELECT
  pe.*,
  -- pe.cwd is often blank
  p.cwd AS delayed_proc_cwd,
  pp.cwd AS delayed_parent_cwd,
  pp.path AS parent_path,
  pp.name AS delayed_parent_name
FROM
  process_events pe
  LEFT JOIN processes p ON pe.pid = p.pid
  LEFT JOIN processes pp ON pe.parent = pp.pid
WHERE
  pe.time > (strftime('%s', 'now') -900)
  -- Filter out commands generated by osquery/kolide
  AND pe.cmdline NOT LIKE "/bin/ps -x -o%"
  AND parent_path NOT LIKE "/usr/local/kolide-k2/%/launcher"
GROUP BY
  pe.pid,
  pe.eid
Initial re-organization around the MITRE ATT&CK framework 2022-10-12 01:53:36 +00:00			`-- Recently executed programs`
			`--`
			`-- interval: 900`
			`-- platform: posix`
			`SELECT`
			`pe.*,`
			`-- pe.cwd is often blank`
			`p.cwd AS delayed_proc_cwd,`
			`pp.cwd AS delayed_parent_cwd,`
			`pp.path AS parent_path,`
			`pp.name AS delayed_parent_name`
			`FROM`
			`process_events pe`
			`LEFT JOIN processes p ON pe.pid = p.pid`
			`LEFT JOIN processes pp ON pe.parent = pp.pid`
			`WHERE`
			`pe.time > (strftime('%s', 'now') -900)`
			`-- Filter out commands generated by osquery/kolide`
			`AND pe.cmdline NOT LIKE "/bin/ps -x -o%"`
			`AND parent_path NOT LIKE "/usr/local/kolide-k2/%/launcher"`
			`GROUP BY`
			`pe.pid,`
			`pe.eid`