Log Search - Endpoint Activity

Is there a field that maps a process and everything it does within all the endpoint activity logs?

For example:

Can I search for a specific endpoint and a executable and will it show me all matching events within that process execution including sysmon like network activity, registry value creation etc?

I hope that makes sense.

I thought at one point there was a field called something like “r7_context something”… that links all endpoint activity together like a process chain.

Hi Anthony,

Yes - you can leverage the “r7_context.asset.rrn” key across both logs to correlate the matching events across both. You could try a query like where(“r7_context.asset.rrn” = “the specific asset”) groupby(#log) to get a sense of frequency of events across both and to validate its working as expected. You could also fall back to r7_hostid key in absence of rnn.

You can find more details on RNNS and how they can leveraged within InsightIDR here: Rapid7 Resource Names | InsightIDR Documentation

Thanks Sean.

That is helpful but I’m interested in process activity only. Like a process tree. Show me everything a certain process did like create a new service, edit a registry key and/or make network connections, etc…

Does that make sense?