search

murchisd / splunk_pstree_app

Custom Splunk search command to reconstruct a pstree from Sysmon process creation events (EventCode 1)
22 stars 4 forks source link

Can we add more information to the execution result ? #4

Closed Moofeng closed 2 years ago

Moofeng commented 2 years ago

Just as the example here image

How can I add more metadata to the result such like 

index=sysmon EventCode=1 host=victim_machine
| fields *
| pstree child=Image parent=ParentImage
| table _time, host, tree
Moofeng commented 2 years ago

Well, I've got the trick image