in ransomware/artifact.lua [3879:3931]
function Production:TotalProcessScore(eventData, processData)
processData.totalEventScore = processData.totalEventScore + eventData.alertScore
processData.totalScore = processData.totalEventScore
if globals.INVALID_PROCESS_ID ~= eventData.parentProcessId then
local parentProcessData = self.processDataTable[eventData.parentProcessId]
parentProcessData.children[eventData.processId] = processData.totalScore
local childScore = 0.0
for _, v in pairs(parentProcessData.children) do
childScore = childScore + v
end
utils.DebugLog('child Score: ' .. childScore)
if (childScore >= globals.PROCESS_PARENT_CHILD_ALERT_SCORE_THRESHOLD) then
utils.DebugLog('PARENT-CHILD ALERT: ' .. eventData.parentProcessId)
parentProcessData.totalScore = parentProcessData.totalScore +
globals.PROCESS_PARENT_CHILD_ALERT_SCORE_THRESHOLD
if false == parentProcessData.alerted then
utils.DebugLog('parentProcessData alert PID: ' .. parentProcessData.processId)
local product = utils.GetProduct()
if product == 'elastic' then
local ransomwareChildProcesses = {}
self:AppendChildProcesses(parentProcessData, ransomwareChildProcesses)
parentProcessData['child_processes'] = ransomwareChildProcesses
end
alert.GenerateAlert(parentProcessData, true)
end
else
utils.DebugLog('PPID ' .. eventData.parentProcessId .. ' | CHILD SCORE: ' .. childScore)
end
end
if globals.PROCESS_TREND_FLOOR < #processData.events then
if 0.0 < processData.trendScore then
processData.totalScore = processData.totalScore + processData.trendScore
end
end
utils.DebugLog('PID: ' .. eventData.processId .. ' | TOTAL #Events: ' .. #processData.events ..
' | TOTAL Event Score: ' .. processData.totalEventScore .. ' | TOTAL Event + Trend Score: ' ..
processData.totalScore)
end