- Need this app: https://github.com/murchisd/splunk_pstree_app
- App by: https://twitter.com/donaldmurchison
Query is very finnicky and considered alpha, probably not suitable for production use, but useful for digging into a particular event
index=sysmon
| eval guid_noramlized=coalesce(ProcessGuid,SourceProcessGUID)
| stats values(DestinationIp) AS DestinationIp, values(CommandLine) AS CommandLine,values(Initiated) AS Initiated,values(_time) AS time,values(ParentImage) AS ParentImage, values(Image) AS Image,values(ParentProcessId) AS ParentProcessId,values(ProcessId) AS ProcessId, values(ImageLoaded) AS ImageLoaded,values(TargetObject) AS TargetObject,values(TargetImage) AS TargetImage, values(ParentCommandLine) AS ParentCommandLine, values(User) AS User,values(OriginalFileName) AS OriginalFileName BY guid_noramlized
| fillnull value="NULL"
| mvexpand time
| mvcombine ImageLoaded
| mvcombine TargetImage
| mvcombine TargetObject
| mvcombine DestinationIp
| eval parent = ParentImage." (".ParentProcessId.")"
| eval child = Image." (".ProcessId.")"
| eval detail=strftime(time,"%Y-%m-%d %H:%M:%S")."
[User Name]:
".User."
[Original File Names]:
".OriginalFileName."
[Parent Process Value]:
".ParentImage."
[Parent Command Line Value]:
".ParentCommandLine."
[Command Line Value]:
".CommandLine."
[Destination IPs Contacted]:
".DestinationIp."
[Initiated (T/F)]:
".Initiated."
[Images Loaded]:
".ImageLoaded."
[Processes Accessed]:
".TargetImage."
[Registry Keys Modified]:
".TargetObject
| pstree child=child parent=parent detail=detail spaces=50
| table tree