Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement ancestor_of and descendant_of process ancestry functions #68

Open
rabbitstack opened this issue May 17, 2021 · 0 comments
Open

Implement ancestor_of and descendant_of process ancestry functions #68

rabbitstack opened this issue May 17, 2021 · 0 comments
Labels
needs: docs Indicates that the issue needs documentation updates needs: filters Indicates that new filters should be added scope: filters Anything related to filters

Comments

@rabbitstack
Copy link
Owner

These functions would enable us to build filters that evaluate process relationships. The ancestor_of function returns the parent of the process that's executing the kernel event. For example, ancestor_of('cmd.exe') would match all events where the process that generated them is the parent of the cmd.exe process. Conversely, the descendant_of function evaluates whether the process is a child of the process that is associated with the current event. For example, descendant_of('cmd.exe') would match all events where the cmd.exe process is the parent process.
@rabbitstack rabbitstack added needs: docs Indicates that the issue needs documentation updates needs: filters Indicates that new filters should be added scope: filters Anything related to filters labels May 17, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs: docs Indicates that the issue needs documentation updates needs: filters Indicates that new filters should be added scope: filters Anything related to filters
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rabbitstack