Try in Splunk SOAR


Investigate an internal unix host using SSH. This pushes a bash script to the endpoint and runs it, collecting generic information about the processes, user activity, and network activity. This includes the process list, login history, cron jobs, and open sockets. The results are zipped up in .csv files and added to the vault for an analyst to review.

  • Type: Investigation
  • Product: Splunk SOAR
  • Apps: SSH
  • Last Updated: 2021-12-14
  • Author: Philip Royer, Splunk
  • ID: fdb65816-6688-41d8-8698-755b7b4ec44e
  • Use-cases:

Associated Detections

How To Implement

The ssh asset requires sudo access to view the processes with open sockets.

Explore Playbook


Required field


source | version: 1