This is my JSON data. How should I write a query syntax to directly traverse to the last parentProcess, and then provide the complete process chain? Like This time username processInfo pr...
See more...
This is my JSON data. How should I write a query syntax to directly traverse to the last parentProcess, and then provide the complete process chain? Like This time username processInfo processInfo.pid processChain 2024-03-07T07:46:27Z randomuser:staff bash 51097 /bin/bash -c pmset -g batt ← %APPLICATIONS%/randomprocess1.app/contents/macos/randomprocess1 /Applications/RandomProcess1.app/Contents/MacOS/RandomProcess1 -runMode autoLaunched ← %APPLICATIONS%/randomprocess2.app/contents/macos/randomprocess2 /Applications/RandomProcess2.app/Contents/MacOS/RandomProcess2 -runMode autoLaunched ← /sbin/launchd ← /sbin/launchd ← kernel_task ← kernel_task I dont know how to search.....please help me ,Thank you!!, This is my json data {
"timestamp": "2024-03-07T07:46:27Z",
"eventName": "ProcessEvent",
"computer": {
"name": "randomMacBook-Pro.local",
"uuid": "9b85f341-3a24-4f70-a371-8863f8a72f1c"
},
"processInfo": {
"imageName": "bash",
"pid": 51097,
"systemProcess": false,
"imagePath": "/bin/bash",
"commandLine": "-c pmset -g batt",
"exeHash": {
"sha1": "87FD78930606102F09D607FC7305996CEFA6E028",
"sha256": null
},
"sid": "",
"username": "randomuser:staff",
"sidNameUse": 0,
"startTime": "2024-03-07T07:46:27Z",
"currentDirPath": "/",
"isCompromised": false,
"lnkPath": "",
"parentProcess": {
"imageName": "randomprocess1",
"pid": 51097,
"systemProcess": false,
"imagePath": "%APPLICATIONS%/randomprocess1.app/contents/macos/randomprocess1",
"commandLine": "/Applications/RandomProcess1.app/Contents/MacOS/RandomProcess1 -runMode autoLaunched",
"exeHash": {
"sha1": "E31C5F2840F47A094D58A181586B802FA8531C7E",
"sha256": null
},
"sid": "",
"username": "randomuser:staff",
"sidNameUse": 0,
"startTime": "2024-03-07T07:46:27Z",
"currentDirPath": "/",
"isCompromised": false,
"lnkPath": "",
"parentProcess": {
"imageName": "randomprocess2",
"pid": 603,
"systemProcess": false,
"imagePath": "%APPLICATIONS%/randomprocess2.app/contents/macos/randomprocess2",
"commandLine": "/Applications/RandomProcess2.app/Contents/MacOS/RandomProcess2 -runMode autoLaunched",
"exeHash": {
"sha1": "E31C5F2840F47A094D58A181586B802FA8531C7E",
"sha256": null
},
"sid": "",
"username": "randomuser:staff",
"sidNameUse": 0,
"startTime": "2024-03-01T08:02:32Z",
"currentDirPath": "/",
"isCompromised": false,
"lnkPath": "",
"parentProcess": {
"imageName": "launchd",
"pid": 603,
"systemProcess": false,
"imagePath": "/sbin/launchd",
"commandLine": "",
"exeHash": {
"sha1": "AA7A8F25AE7BE3BFF0DB33A8FB0D0C49361D1176",
"sha256": null
},
"sid": "",
"username": "root:wheel",
"sidNameUse": 0,
"startTime": "2024-03-01T08:02:32Z",
"currentDirPath": "/",
"isCompromised": false,
"lnkPath": "",
"parentProcess": {
"imageName": "launchd",
"pid": 1,
"systemProcess": false,
"imagePath": "/sbin/launchd",
"commandLine": "",
"exeHash": {
"sha1": "AA7A8F25AE7BE3BFF0DB33A8FB0D0C49361D1176",
"sha256": null
},
"sid": "",
"username": "root:wheel",
"sidNameUse": 0,
"startTime": "2024-03-01T07:57:30Z",
"currentDirPath": "/",
"isCompromised": false,
"lnkPath": "",
"parentProcess": {
"imageName": "kernel_task",
"pid": 1,
"systemProcess": true,
"imagePath": "kernel_task",
"commandLine": "",
"exeHash": {
"sha1": "24BF148FA83C8A5D908C33954B5CA91A5E4E3659",
"sha256": null
},
"sid": "",
"username": "root:wheel",
"sidNameUse": 0,
"startTime": "2024-02-27T10:17:35Z",
"currentDirPath": "",
"isCompromised": false,
"lnkPath": "",
"parentProcess": {
"imageName": "kernel_task",
"pid": 0,
"systemProcess": true,
"imagePath": "kernel_task",
"commandLine": "",
"exeHash": {
"sha1": "24BF148FA83C8A5D908C33954B5CA91A5E4E3659",
"sha256": null
},
"sid": "",
"username": "root:wheel",
"sidNameUse": 0,
"startTime": "2024-02-27T10:17:35Z",
"currentDirPath": "",
"isCompromised": false,
"lnkPath": ""
}
}
}
}
}
}
},
"eventType": "Process/PosixExec"
}