This is my JSON data. How should I write a query syntax to directly traverse to the last parentProcess, and then provide the complete process chain? Like This time username processInfo processInfo.pid processChain 2024-03-07T07:46:27Z randomuser:staff bash 51097 /bin/bash -c pmset -g batt ← %APPLICATIONS%/randomprocess1.app/contents/macos/randomprocess1 /Applications/RandomProcess1.app/Contents/MacOS/RandomProcess1 -runMode autoLaunched ← %APPLICATIONS%/randomprocess2.app/contents/macos/randomprocess2 /Applications/RandomProcess2.app/Contents/MacOS/RandomProcess2 -runMode autoLaunched ← /sbin/launchd ← /sbin/launchd ← kernel_task ← kernel_task I dont know how to search.....please help me ,Thank you!!, This is my json data {
"timestamp": "2024-03-07T07:46:27Z",
"eventName": "ProcessEvent",
"computer": {
"name": "randomMacBook-Pro.local",
"uuid": "9b85f341-3a24-4f70-a371-8863f8a72f1c"
},
"processInfo": {
"imageName": "bash",
"pid": 51097,
"systemProcess": false,
"imagePath": "/bin/bash",
"commandLine": "-c pmset -g batt",
"exeHash": {
"sha1": "87FD78930606102F09D607FC7305996CEFA6E028",
"sha256": null
},
"sid": "",
"username": "randomuser:staff",
"sidNameUse": 0,
"startTime": "2024-03-07T07:46:27Z",
"currentDirPath": "/",
"isCompromised": false,
"lnkPath": "",
"parentProcess": {
"imageName": "randomprocess1",
"pid": 51097,
"systemProcess": false,
"imagePath": "%APPLICATIONS%/randomprocess1.app/contents/macos/randomprocess1",
"commandLine": "/Applications/RandomProcess1.app/Contents/MacOS/RandomProcess1 -runMode autoLaunched",
"exeHash": {
"sha1": "E31C5F2840F47A094D58A181586B802FA8531C7E",
"sha256": null
},
"sid": "",
"username": "randomuser:staff",
"sidNameUse": 0,
"startTime": "2024-03-07T07:46:27Z",
"currentDirPath": "/",
"isCompromised": false,
"lnkPath": "",
"parentProcess": {
"imageName": "randomprocess2",
"pid": 603,
"systemProcess": false,
"imagePath": "%APPLICATIONS%/randomprocess2.app/contents/macos/randomprocess2",
"commandLine": "/Applications/RandomProcess2.app/Contents/MacOS/RandomProcess2 -runMode autoLaunched",
"exeHash": {
"sha1": "E31C5F2840F47A094D58A181586B802FA8531C7E",
"sha256": null
},
"sid": "",
"username": "randomuser:staff",
"sidNameUse": 0,
"startTime": "2024-03-01T08:02:32Z",
"currentDirPath": "/",
"isCompromised": false,
"lnkPath": "",
"parentProcess": {
"imageName": "launchd",
"pid": 603,
"systemProcess": false,
"imagePath": "/sbin/launchd",
"commandLine": "",
"exeHash": {
"sha1": "AA7A8F25AE7BE3BFF0DB33A8FB0D0C49361D1176",
"sha256": null
},
"sid": "",
"username": "root:wheel",
"sidNameUse": 0,
"startTime": "2024-03-01T08:02:32Z",
"currentDirPath": "/",
"isCompromised": false,
"lnkPath": "",
"parentProcess": {
"imageName": "launchd",
"pid": 1,
"systemProcess": false,
"imagePath": "/sbin/launchd",
"commandLine": "",
"exeHash": {
"sha1": "AA7A8F25AE7BE3BFF0DB33A8FB0D0C49361D1176",
"sha256": null
},
"sid": "",
"username": "root:wheel",
"sidNameUse": 0,
"startTime": "2024-03-01T07:57:30Z",
"currentDirPath": "/",
"isCompromised": false,
"lnkPath": "",
"parentProcess": {
"imageName": "kernel_task",
"pid": 1,
"systemProcess": true,
"imagePath": "kernel_task",
"commandLine": "",
"exeHash": {
"sha1": "24BF148FA83C8A5D908C33954B5CA91A5E4E3659",
"sha256": null
},
"sid": "",
"username": "root:wheel",
"sidNameUse": 0,
"startTime": "2024-02-27T10:17:35Z",
"currentDirPath": "",
"isCompromised": false,
"lnkPath": "",
"parentProcess": {
"imageName": "kernel_task",
"pid": 0,
"systemProcess": true,
"imagePath": "kernel_task",
"commandLine": "",
"exeHash": {
"sha1": "24BF148FA83C8A5D908C33954B5CA91A5E4E3659",
"sha256": null
},
"sid": "",
"username": "root:wheel",
"sidNameUse": 0,
"startTime": "2024-02-27T10:17:35Z",
"currentDirPath": "",
"isCompromised": false,
"lnkPath": ""
}
}
}
}
}
}
},
"eventType": "Process/PosixExec"
}
... View more
