Document toolboxDocument toolbox

pathFromRoot

Owned by Anthony Shevlin (Deactivated)
Last updated: Dec 01, 2023
2 min read
[ 1 Operator usage in easy mode ] [ 2 Usage details ] [ 3 Example ]

Given data of chain events find the path (chain of processes) from root to the current event.

Let us say that we have following chain of events:

parent_process

child_process

parent_process

child_process

A

B

B

C

C

D

A

E

B

F

which looks as follow:

Graph

A / \ B E / \ C F / D

and for each row we want to get chain sequence all the way from root, example, as follow:

parent_process

child_process

lhub_path

parent_process

child_process

lhub_path

A

B

A->B

B

C

A->B->C

C

D

A->B->C->D

A

E

A->E

B

F

A->B->F

also add additional information such as what is the depth of the step (distance from root process), and is it leaf step (final process)

Operator usage in easy mode

  1. Click + on the parent node.

  2. Enter the Path from Root operator in the search field and select the operator from the Results to open the operator form.

  3. In the Table drop-down, enter or select the table to which the operator is applied.

  4. In the Source Attribute drop-down, enter or select the list of columns that define the source.

  5. In the Dest Attribute drop-down, enter or select the list of columns that define the destination.

  6. Optional. In the Max Depth, click Add More to add the maximum depth of the graph. You can click to add more to define the maximum depth of the graph.

  7. Click Run to view the result.

  8. Click Save to add the operator to the playbook.

  9. Click Cancel to discard the operator form.

Usage details

LQL Command

pathFromRoot(table, sourceAttributes, destAttributes, maxDepth) // table: input table to apply the operator // sourceAttributes: list of column names that specify the source e.g. ["computerName", "sourceProcessID", "sourceProcessName"] // destAttributes: list of column names that specify the dest e.g. ["computerName", "destProcessID", "dstProcessName"] // maxDepth: optional parameter to help to reduce computation time, if you know in advance approximate maxDepth of the tree, the set the value and it will compute up to that level, otherwise it might run into loops and compute forever.

Example

Input
table

parent_process

child_process

parent_process

child_process

A

B

B

C

C

D

A

E

B

F

LQL command

pathFromRoot(table, ["partent_process"], ["child_process"])

Output

parent_process

child_process

lhub_path

lhub_isLeaf

lhub_level

lhub_root

parent_process

child_process

lhub_path

lhub_isLeaf

lhub_level

lhub_root

A

B

A=>B

0

1

A

B

C

A=>B=>C

0

2

A

C

D

A=>B=>C=>D

1

3

A

A

E

A=>E

1

1

A

B

F

A=>B=>F

1

2

A