mschilt
commented
2 years ago I lile that idea. Process GUID are very valuable to 'follow' what a specific process did. The process ID is prone to roll overs especially on very busy systems.
Open hillu opened 2 years ago
mschilt
commented
2 years ago I lile that idea. Process GUID are very valuable to 'follow' what a specific process did. The process ID is prone to roll overs especially on very busy systems.
Sysmon calculates GUIDs (at least) for processes and sessions, this is a really useful idea for correlation.
The Sysmon implementation can be found at https://github.com/Sysinternals/SysmonCommon/blob/735085f7940bf68047f00e71e6583197381fb966/eventsCommon.cpp#L138.
machineIdis set from/etc/machine-id, cf. https://github.com/Sysinternals/SysmonForLinux/blob/9bca3734721a01cb2ac6e2e3adc40ecdcad3151e/linuxHelpers.cpp#L338