Hello.
Is there a field that maps a process and everything it does within all the endpoint activity logs?
For example:
Can I search for a specific endpoint and a executable and will it show me all matching events within that process execution including sysmon like network activity, registry value creation etc?
I hope that makes sense.
I thought at one point there was a field called something like “r7_context something”… that links all endpoint activity together like a process chain.
Hi Anthony,
Yes - you can leverage the “r7_context.asset.rrn” key across both logs to correlate the matching events across both. You could try a query like where(“r7_context.asset.rrn” = “the specific asset”) groupby(#log) to get a sense of frequency of events across both and to validate its working as expected. You could also fall back to r7_hostid key in absence of rnn.
You can find more details on RNNS and how they can leveraged within InsightIDR here: Rapid7 Resource Names | InsightIDR Documentation
Thanks Sean.
That is helpful but I’m interested in process activity only. Like a process tree. Show me everything a certain process did like create a new service, edit a registry key and/or make network connections, etc…
Does that make sense?