PSTree for Splunk app icon

PSTree for Splunk

This apps main function is to enable a custom Splunk search command to reconstruct a pstree from Sysmon process creation events (EventCode 1). Information from memory forensics, such as Volatility's pstree, can be very helpful to detect malicious processes. By ingesting Sysmon events in Splunk and using this command you can quickly get similar information without performing memory forensics.

Built by
splunk product badge
screenshot
screenshot
Latest Version 2.1.0
March 28, 2026
Compatibility
Splunk Enterprise, Splunk Cloud
Platform Version: 10.3, 10.2, 10.1, 10.0, 9.4, 9.3, 9.2
Rating

0

(0)

Log in to rate this app
Support
PSTree for Splunk support icon
Not Supported
This apps main function is to enable a custom Splunk search command to reconstruct a pstree from Sysmon process creation events (EventCode 1). Information from memory forensics, such as Volatility's pstree, can be very helpful to detect malicious processes. By ingesting Sysmon events in Splunk and using this command you can quickly get similar information without performing memory forensics.

Categories

Security, Fraud & Compliance

Created By

Donald Murchison

Source Code

splunk_pstree_app(Opens new window)

Type

addon

Downloads

3,055

Licensing

Splunk End User License for Third Party Content(Opens new window)

Splunk Answers

Ask a question about this app listing(Opens new window)

Resources

Log in to report this app listing