Skip to main content
Splunk Lantern

Processes running on a host

You might want to gather details about processes running on a host when doing the following:

Prerequisites 

Content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the Common Information Model (CIM). This search requires the Endpoint data model. For information on installing and using the CIM, see the Common Information Model documentation.

Example

As part of a suspected privilege escalation attack, you have identified a suspicious host. You want to collect details about the processes running on this host, starting with the parent processes. 

To optimize the search shown below, you should specify an index and a time range. 

  1. Ensure that your deployment is ingesting endpoint data that tracks process activity, including parent-child relationships, to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the "process" field in the Endpoint data model.
  2. Run the following search: 
    |tstats summariesonly=true allow_old_summaries=true count values(Processes.process) AS process min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE Processes.process_name = <process_name> Processes.dest = <dest> BY Processes.user Processes.parent_process_name Processes.process_name 
    |rename "Processes.*" as "*"
    |convert timeformat="%m/%d/%Y %H:%M:%S" ctime(firstTime)
    |convert timeformat="%m/%d/%Y %H:%M:%S" ctime(lastTime)
    
  3. To investigate all processes, not just parent processes, change the first line of the search to the following and rerun it:
    |tstats summariesonly=true allow_old_summaries=true count min(_time)  max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE Processes.dest=<dest> BY Processes.parent_process Processes.process_name Processes.user Processes.dest
    

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
|tstats summariesonly=true allow_old_summaries=true count values(Processes.process) AS process min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE Processes.process_name = <process_name> Processes.dest = <dest> BY Processes.user Processes.parent_process_name  Processes.process_name  

Query the Endpoint.Process object for the user, parent process, and process name on a target machine and process. The required <dest> field is the host on which the process is running. The required <process> field is the process you want to investigate.

|rename "Processes.*" as "*"  Rename the data model object for better readability.

|convert timeformat="%m/%d/%Y %H:%M:%S" ctime(firstTime)

|convert timeformat="%m/%d/%Y %H:%M:%S" ctime(lastTime)

Convert these times into readable strings.
|tstats summariesonly=true allow_old_summaries=true count min(_time)  max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE Processes.dest=<dest> BY Processes.parent_process Processes.process_name Processes.user Processes.dest Query the Endpoint.Process object for the user, parent process, and process name on a target machine and process. The required <dest> field is the host on which the process is running. 

Result

The search returns all the processes running in a given machine, as well as the first and last time the process ran. This is a great search to quickly inspect what is running on a system in a given time. This search is typically leveraged during an investigation of a specific host when the offending process might not be known.   

For additional information about this search, such as its applicability to common frameworks and standards, see these projects on GitHub for parent processes and all processes.

  • Was this article helpful?