Approved

Figure out the original process that triggered a network connection (not swi_fc.exe)

Hello,

I've been using the following query for some time to figure out the processes related to a network connection (getting suspicious network connection from other security products as input):

# $$startTime$$                 - Date
# $$endTime$$                   - Date
# $$uri$$                       - String
# $$source_or_destination_ip$$  - String

SELECT
   datetime(shj.time,'unixepoch','localtime') AS LocalTimeStamp,
   datetime(shj.processStartTime,'unixepoch','localtime') AS processStartTime,
   *
FROM
   sophos_http_journal shj
INNER JOIN 
   sophos_process_journal spj
   ON shj.sophosPID = spj.sophosPID
LEFT JOIN
   users
   ON sid = uuid
WHERE
   (source LIKE '%$$source_or_destination_ip$$%' OR destination LIKE '%$$source_or_destination_ip$$%')
   AND LOWER(shj.url) LIKE LOWER('%$$uri$$%')
   AND shj.time >= $$startTime$$
   AND shj.time <= $$endTime$$

What I noticed is that some network connections are proxied by the Sophos Web Intelligence Engine: swi_fc.exe

However I would like to figure out what the original process triggering the webrequest was (is it a powershell script, chrome edge, etc). Since you loose the original process tree as well as the original Sophos PID it's pretty hard to do a proper analysis from here.

I'm happy to provide additional detail if needed.

KR, reg1nleifr

Parents Comment Children