search

redcanaryco / mac-monitor

Red Canary Mac Monitor is an advanced, stand-alone system monitoring tool tailor-made for macOS security research. Beginning with Endpoint Security (ES), it collects and enriches system events, displaying them graphically, with an expansive feature set designed to reduce noise.
938 stars 46 forks source link

Filter by parent process + View child processes in event metadata #12

Open AndrewMohawk opened 1 year ago

AndrewMohawk commented 1 year ago

At a high level -- can you summarize your request? If I come across an event such as a bash being called from a process I'd like to be able to filter to find all other forks that the parent process executed. Alternatively if I have the event parent process in event viewer, I'd like to be able to see the children of that event.

Example: here I have sentineld_updater calling two bash scripts: image

I'd like an easy way to be able to view all subprocesses from this parent/initiating process. Here is the event metadata I can view as well as then the initiating process: image image

What is the current alternative solution? Identify the event as well as its parent and then use the search to try and narrow down events containing that name

Brandon7CC commented 1 year ago

@AndrewMohawk I completely agree! Bringing child proc info to the foreground is something that I've had implemented before, but wanted to wait to think about how to display the telemetry more. EXEC -> FORK -> EXEC or something like that chain. Hopefully you'll see something like this feature implemented soon!