search

opencybersecurityalliance / kestrel-lang

Kestrel threat hunting language: building reusable, composable, and shareable huntflows across different data sources and threat intel.
Apache License 2.0
299 stars 50 forks source link

Include host name as a pivot point in Kestrel query #466

Open Galal-sec opened 9 months ago

Galal-sec commented 9 months ago

Is your feature request related to a problem? Please describe. I have a use case to get the sequence of commands execution from the same host within timestamp

Describe the solution you'd like Correlate sequence commands on the same host

Describe alternatives you've considered If we can do the same via Parent process ID

Additional context image

pcoccoli commented 4 months ago

For implementing simple correlation in SQL (which we're trying to leverage as much as possible in kestrel 2), consider a simple table mydata:

# select * from mydata;
 name  |       email       
-------+-------------------
 alice | alice@example.com
 bob   | bob@example.com
 carol | alice@example.com
(3 rows)

Finding rows that share the same email could be done by with grouping:

# select * from mydata where email in (select email from mydata group by email having count(*) > 1);
 name  |       email       
-------+-------------------
 alice | alice@example.com
 carol | alice@example.com
(2 rows)

Another possibility is joins:

# select L.* from mydata L join mydata R on L.email = R.email where L.name != R.name;
 name  |       email       
-------+-------------------
 alice | alice@example.com
 carol | alice@example.com
(2 rows)

In postgres, the grouping method is less expensive according to the EXPLAIN output.