EDR — Process Tree

Best-of

CrowdStrike Falcon · SentinelOne

Module

nexus_secops/edr.py

Edition

Free (lineage rules), agent telemetry required

API

/api/v1/edr/hosts · /edr/tree · /edr/processes · /edr/ancestry

What it does

The agent sends real process snapshots — pid, ppid, user and command line, collected from ps on Linux and Get-CimInstance Win32_Process on Windows. The manager rebuilds the process tree and flags suspicious lineage: relationships that are almost always malicious regardless of the process name.

systemd ─▶ nginx ─▶ bash ─▶ mimikatz
                     ▲        ▲
       web server spawns a shell    shell spawns a credential tool

How to use it

GET /api/v1/edr/hosts                       # hosts with process inventory
GET /api/v1/edr/tree?agent_id=<id>          # full ancestry tree
GET /api/v1/edr/ancestry?agent_id=<id>&pid=<pid>   # walk one process back to root

Lineage detections

EDR raises a suspicious_lineage event (rule NEXUS-EDR-001) for:

• Web server → shell — nginx/apache/php/node spawning sh/bash/cmd/powershell (webshell / RCE).
• Office → script — Word/Excel/Outlook spawning a shell or script host (malicious macro).
• Encoded PowerShell — powershell -enc <base64> and other LOLBin obfuscation.
• Known-bad tools — mimikatz, cobaltstrike, meterpreter, xmrig, and similar.

How it feeds the pipeline

Each lineage finding becomes an alert that flows to XDR — where it can combine with Threat-Intel or NDRsignals into a "C2 confirmed" incident — and is summarized by the AI, which can suggest the kill/isolate SOAR playbook.

Tips

• Use /edr/ancestry on a flagged pid to answer the key question: how did it get here?
• Trees are depth-capped and cycle-safe, so even corrupt snapshots render without hanging.
• Pair EDR with SOAR's PB-SUSPROC-KILL to stop the chain once you confirm it.