Internal Host SSH Investigate
Description
Investigate an internal unix host using SSH. This pushes a bash script to the endpoint and runs it, collecting generic information about the processes, user activity, and network activity. This includes the process list, login history, cron jobs, and open sockets. The results are zipped up in .csv files and added to the vault for an analyst to review.
- Type: Investigation
- Product: Splunk SOAR
- Apps: SSH
- Last Updated: 2021-12-14
- Author: Philip Royer, Splunk
- ID: fdb65816-6688-41d8-8698-755b7b4ec44e
Associated Detections
How To Implement
The ssh asset requires sudo access to view the processes with open sockets.
Explore Playbook
Required field
Reference
source | version: 1