def get_parent(parentprocessguid): elsa_obj = elsa_db.elsa() query_string = "class=SYSMON_PROCESS processguid=" + parentprocessguid temp_sysmon = sysmon_process() json_data = elsa_obj.query(query_string) if json_data["recordsReturned"] >= 1: for sysmon_obj in json_data['results']: temp_sysmon = populate_sysmon_obj(sysmon_obj); process_list.append(temp_sysmon) get_parent(temp_sysmon.parentprocessguid)
def get_by_processguid(processguid): elsa_obj = elsa_db.elsa() del process_list[:] query_string = "class=SYSMON_PROCESS processguid=" + processguid json_data = elsa_obj.query(query_string) temp_sysmon_process = populate_sysmon_obj(json_data['results'][0]) get_parent(temp_sysmon_process.parentprocessguid) process_list.reverse() process_list.append(temp_sysmon_process) return process_list
def get_windows_console_logins(): elsa_obj = elsa_db.elsa() query_string = "class=WINDOWS eventid=4624 'Logon Type: 2'" json_data = elsa_obj.query(query_string) temp_windows_4626 = populate_windows_4624(json_data['results'][0]) #get_parent(temp_sysmon_process.parentprocessguid) # process_list.reverse() #process_list.append(temp_sysmon_process) return temp_sysmon_process