def on_response(self, response: ProcessView, output: Any):
count = self.counter.get_count_for(
parent_process_name=response.get_parent().get_process_name(),
child_process_name=response.get_process_name(),
)
print(f'Counted {count} for parent -> ssh')
if count <= 3:
output.send(
ExecutionHit(
analyzer_name="Rare Parent of SSH",
node_view=response,
risk_score=5,
))
def on_response(self, child: ProcessView, output: Any):
parent = child.get_parent()
child_user_id = get_user_id(child)
parent_user_id = get_user_id(parent)
if child_user_id != parent_user_id:
output.send(
ExecutionHit(
analyzer_name="Parent Child User Mismatch",
node_view=child,
risk_score=25,
))
def on_response(self, response: ProcessView, output: Any):
asset_id = response.get_asset().get_hostname()
count = self.counter.get_count_for(
grand_parent_process_name=response.get_parent().get_parent().
get_process_name(),
grand_child_process_name=response.get_process_name(),
)
print(f'Counted {count} for parent -> ssh')
if count <= 3:
output.send(
ExecutionHit(
analyzer_name="Rare GrandParent of SSH",
node_view=response,
risk_score=5,
lenses=asset_id,
))
def on_response(self, response: ProcessView, output: Any):
parent = response.get_parent()