def on_response(self, response: ProcessView, output: Any): count = self.counter.get_count_for( parent_process_name=response.get_parent().get_process_name(), child_process_name=response.get_process_name(), ) print(f'Counted {count} for parent -> ssh') if count <= 3: output.send( ExecutionHit( analyzer_name="Rare Parent of SSH", node_view=response, risk_score=5, ))
def on_response(self, child: ProcessView, output: Any): parent = child.get_parent() child_user_id = get_user_id(child) parent_user_id = get_user_id(parent) if child_user_id != parent_user_id: output.send( ExecutionHit( analyzer_name="Parent Child User Mismatch", node_view=child, risk_score=25, ))
def on_response(self, response: ProcessView, output: Any): asset_id = response.get_asset().get_hostname() count = self.counter.get_count_for( grand_parent_process_name=response.get_parent().get_parent(). get_process_name(), grand_child_process_name=response.get_process_name(), ) print(f'Counted {count} for parent -> ssh') if count <= 3: output.send( ExecutionHit( analyzer_name="Rare GrandParent of SSH", node_view=response, risk_score=5, lenses=asset_id, ))
def on_response(self, response: ProcessView, output: Any): parent = response.get_parent()