Hello everyone,
yesterday we saw a detection and tried to get more information about it, but without success.
If I see suspicious detections I usually run some live discover queries like Process Tree, Process activity (user/device), network activity and so on. The interesting thing here is that I could not find this SPID nor the command line in any query.
This is the result for the query "Process tree for a Sophos PID (Windows)":
Even if I run the query for the parent_sophos_pid, I do not see an entry for "wscript.exe" in the proccess tree. The queries "process activity for device and process activity for username" also contain none of the SPID´s mentioned in the detection view.
If I understand correctly, this detection is based on Data-Lake data so I am a bit surprised that i can not find any information in the data-lake queries. I'm pretty sure that was legitimate behavior, so my question is more directed to the lack of information in the data lake queries.
Best Regards,
Jonas