def get_parent(parentprocessguid):
elsa_obj = elsa_db.elsa()
query_string = "class=SYSMON_PROCESS processguid=" + parentprocessguid
temp_sysmon = sysmon_process()
json_data = elsa_obj.query(query_string)
if json_data["recordsReturned"] >= 1:
for sysmon_obj in json_data['results']:
temp_sysmon = populate_sysmon_obj(sysmon_obj);
process_list.append(temp_sysmon)
get_parent(temp_sysmon.parentprocessguid)
def get_by_processguid(processguid):
elsa_obj = elsa_db.elsa()
del process_list[:]
query_string = "class=SYSMON_PROCESS processguid=" + processguid
json_data = elsa_obj.query(query_string)
temp_sysmon_process = populate_sysmon_obj(json_data['results'][0])
get_parent(temp_sysmon_process.parentprocessguid)
process_list.reverse()
process_list.append(temp_sysmon_process)
return process_list
def get_windows_console_logins():
elsa_obj = elsa_db.elsa()
query_string = "class=WINDOWS eventid=4624 'Logon Type: 2'"
json_data = elsa_obj.query(query_string)
temp_windows_4626 = populate_windows_4624(json_data['results'][0])
#get_parent(temp_sysmon_process.parentprocessguid)
# process_list.reverse()
#process_list.append(temp_sysmon_process)
return temp_sysmon_process
