Generate process, session GUIDs (Sysmon)

threathunters-io / laurel

Transform Linux Audit logs for SIEM usage

GNU General Public License v3.0

713 stars 56 forks source link

Generate process, session GUIDs (Sysmon) #38

Open hillu opened 3 years ago

hillu commented 3 years ago

Sysmon calculates GUIDs (at least) for processes and sessions, this is a really useful idea for correlation.

The Sysmon implementation can be found at https://github.com/Sysinternals/SysmonCommon/blob/735085f7940bf68047f00e71e6583197381fb966/eventsCommon.cpp#L138. machineId is set from /etc/machine-id, cf. https://github.com/Sysinternals/SysmonForLinux/blob/9bca3734721a01cb2ac6e2e3adc40ecdcad3151e/linuxHelpers.cpp#L338

mschilt commented 2 years ago

I lile that idea. Process GUID are very valuable to 'follow' what a specific process did. The process ID is prone to roll overs especially on very busy systems.