Step 10. Searching for related events

You can expand your investigation scope by searching for events of related alerts.

The events can be found in the KUMA event database manually or by selecting any of the related alerts and clicking Find in events in the alert details (Incidents → the relevant incident → Related alerts → the relevant alert → Related endpoints → Find in events). The found events can be linked to the selected alert, however, the alert must be unlinked from the incident before that.

Example

As a result, the analyst found the A new process has been created event, where the command to create a new registry key was recorded. Based on the event data, the analyst detected that cmd.exe was the parent process for reg.exe. In other words, the cybercriminal started the command line and executed the command in it. The event details include information about the ChromeUpdate.bat file that was autorun. To find out the origin of this file, the analyst searched for events in the event database using the FileName = ‘C:\\Users\\UserName\\Downloads\\ChromeUpdate.bat’ field and the %%4417 access mask (access type WriteData (or AddFile)):

SELECT * FROM 'events' WHERE DeviceCustomString1 like '%4417%' and FileName like ‘C:\\Users\\UserName\\Downloads\\ChromeUpdate.bat’ AND Device Vendor 'Microsoft' ORDER BY Timestamp DESC LIMIT 250

As a result, the analyst discovered that the file was downloaded from an external source using the msedge.exe process. The analyst linked this event to the alert as well.

Search for the related events for each incident alert allows the analyst to identify the entire attack chain.

Page top