Figure out the original process that triggered a network connection (not swi_fc.exe)

Hello,

I've been using the following query for some time to figure out the processes related to a network connection (getting suspicious network connection from other security products as input):

# $$startTime$$                 - Date
# $$endTime$$                   - Date
# $$uri$$                       - String
# $$source_or_destination_ip$$  - String

SELECT
   datetime(shj.time,'unixepoch','localtime') AS LocalTimeStamp,
   datetime(shj.processStartTime,'unixepoch','localtime') AS processStartTime,
   *
FROM
   sophos_http_journal shj
INNER JOIN 
   sophos_process_journal spj
   ON shj.sophosPID = spj.sophosPID
LEFT JOIN
   users
   ON sid = uuid
WHERE
   (source LIKE '%$$source_or_destination_ip$$%' OR destination LIKE '%$$source_or_destination_ip$$%')
   AND LOWER(shj.url) LIKE LOWER('%$$uri$$%')
   AND shj.time >= $$startTime$$
   AND shj.time <= $$endTime$$

What I noticed is that some network connections are proxied by the Sophos Web Intelligence Engine: swi_fc.exe

However I would like to figure out what the original process triggering the webrequest was (is it a powershell script, chrome edge, etc). Since you loose the original process tree as well as the original Sophos PID it's pretty hard to do a proper analysis from here.

I'm happy to provide additional detail if needed.

KR, reg1nleifr

reg1nleifr

Parents

JeramyKopacko over 2 years ago

Hi reg1nleifr

I wrote this a while back. Would it work?

https://community.sophos.com/intercept-x-endpoint/i/processes/process-http-calls

I am happy to look further into this but won't have full access to my lab until next week.
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
reg1nleifr over 2 years ago in reply to JeramyKopacko

Workes like a charm, just replaced the process table with sophos_process_journal, joined to usernames and I got all the info I wanted. Thank you!
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel

reg1nleifr over 2 years ago in reply to reg1nleifr

# $$startTime$$                 - Date
# $$endTime$$                   - Date
# $$uri$$                       - String
# $$source_or_destination_ip$$  - String

SELECT
   datetime(shj.time,'unixepoch','localtime') AS LocalTimeStamp,
   datetime(shj.processStartTime,'unixepoch','localtime') AS processStartTime,
   *
FROM
   sophos_http_journal shj
INNER JOIN 
   sophos_process_journal spj
   ON shj.sophosPID = spj.sophosPID
LEFT JOIN
   users
   ON sid = uuid
WHERE
   (source LIKE '%$$source_or_destination_ip$$%' OR destination LIKE '%$$source_or_destination_ip$$%')
   AND LOWER(shj.url) LIKE LOWER('%$$uri$$%')
   AND shj.time >= $$startTime$$
   AND shj.time <= $$endTime$$

Comment

reg1nleifr over 2 years ago in reply to reg1nleifr

# $$startTime$$                 - Date
# $$endTime$$                   - Date
# $$uri$$                       - String
# $$source_or_destination_ip$$  - String

SELECT
   datetime(shj.time,'unixepoch','localtime') AS LocalTimeStamp,
   datetime(shj.processStartTime,'unixepoch','localtime') AS processStartTime,
   *
FROM
   sophos_http_journal shj
INNER JOIN 
   sophos_process_journal spj
   ON shj.sophosPID = spj.sophosPID
LEFT JOIN
   users
   ON sid = uuid
WHERE
   (source LIKE '%$$source_or_destination_ip$$%' OR destination LIKE '%$$source_or_destination_ip$$%')
   AND LOWER(shj.url) LIKE LOWER('%$$uri$$%')
   AND shj.time >= $$startTime$$
   AND shj.time <= $$endTime$$

Children

No Data

Uncategorized

Anomalies

ATT&CK

Cloud Optix

Compliance

Data Lake

Device

Email

Events

Files

Live Response

Network

Other queries

Processes

Query Tips

Registry

Threat Hunting

User

Figure out the original process that triggered a network connection (not swi_fc.exe)