Welcome to the new Splunkbase! To return to the old Splunkbase, click here.
Warning

This app is archived. App archiving documentation

PSTree for Splunk app icon

PSTree for Splunk

This apps main function is to enable a custom Splunk search command to reconstruct a pstree from Sysmon process creation events (EventCode 1). Information from memory forensics, such as Volatility's pstree, can be very helpful to detect malicious processes. By ingesting Sysmon events in Splunk and using this command you can quickly get similar information without performing memory forensics.

Built by
splunk product badge
screenshot
screenshot
Latest Version 2.0.0
March 3, 2023
Compatibility
Not Available
Platform Version: 9.4, 9.3, 9.2, 9.1, 9.0, 8.2, 8.1, 8.0, 7.3
Rating

0

(0)

Log in to rate this app
Support
PSTree for Splunk support icon
Not Supported
This apps main function is to enable a custom Splunk search command to reconstruct a pstree from Sysmon process creation events (EventCode 1). Information from memory forensics, such as Volatility's pstree, can be very helpful to detect malicious processes. By ingesting Sysmon events in Splunk and using this command you can quickly get similar information without performing memory forensics.

Categories

Created By

Donald Murchison

Type

addon

Downloads

2,879

Licensing

End User License Agreement for Third-Party Content(Opens new window)

Splunk Answers

Ask a question about this app listing(Opens new window)

Resources

Log in to report this app listing