Latest Version 2.0.0
March 3, 2023
Welcome to the new Splunkbase! To return to the old Splunkbase, click here.
This app is archived. Learn more
PSTree for Splunk
This apps main function is to enable a custom Splunk search command to reconstruct a pstree from Sysmon process creation events (EventCode 1). Information from memory forensics, such as Volatility's pstree, can be very helpful to detect malicious processes. By ingesting Sysmon events in Splunk and using this command you can quickly get similar information without performing memory forensics.
Built by Donald Murchison
Compatibility
Not Available
Platform Version: 9.4, 9.3, 9.2, 9.1, 9.0, 8.2, 8.1, 8.0, 7.3
Rating
0
(0)
Log in to rate this app
Support
Not Supported
This apps main function is to enable a custom Splunk search command to reconstruct a pstree from Sysmon process creation events (EventCode 1). Information from memory forensics, such as Volatility's pstree, can be very helpful to detect malicious processes. By ingesting Sysmon events in Splunk and using this command you can quickly get similar information without performing memory forensics.
Categories
Created By
Donald Murchison
Type
addon
Downloads
2,616
Licensing
Splunk Answers
Resources
Log in to report this app listing