Get Process

[ai-ryanbess]

Hello,
Is there a module created that would allow a user to enter a source and destination ip and when entered the result would be the process from an endpoint that initiated the connection?

[carlosmmatos]

@ai-ryanbess - unfortunately an API for this does not currently exist.

[ai-ryanbess]

Is there a module that we can use to send a custom written FQL search that the API would take in and process?

[carlosmmatos]

We'll poke around - might be able to leverage the Logscale API's to see if it's doable

[ai-ryanbess]

Thank you. That seems like exactly what we would like to do.

[ai-ryanbess]

We'll poke around - might be able to leverage the Logscale API's to see if it's doable

Also to add, we'd like to also get the command line that called the processes and possible some other stuff like parent process etc. Our goal is to provide our IR team a quick simple way of feeding in some simple data (collected via an ansible survey) and have ansible quickly spit back the root cause.

[carlosmmatos]

The way this would most likely work is:

• You define the LogScale FQL filter. Obviously this must be a valid filter and something you can define/test via logscale.
• The Module will send that query and then wait for the response
• You will then get back a JSON representation of that response.
  With the return, you can parse/use whatever fields are returned back based on your query.

So ideally, if you can do this in logscale/ngsiem today from the UI in the sense of getting the data you need, then this module will essentially do the same.