sonal k
10/12/2021, 12:10 PMMike Myers
10/12/2021, 4:59 PMprocess_file_events
maybesonal k
10/12/2021, 7:42 PMMike Myers
10/12/2021, 11:31 PMprocess_file_events
and then determine if that process (or its parent process) had a socket connection open (process_open_sockets
). Even then, a process could have multiple connections open.
There is no direct line of cause from file change back to remote IP address. Every packet would have to be traced from ingress to process receiving it and then traced through that process's execution to perform an analysis of actions it might have caused.puffycid
10/12/2021, 11:46 PMfile_events
could be one but u will probably need another to associate it with an IP
For example on windows combining the data/timestamps from file_events
with IIS logs u may be able to associate it with an IP