Try in Splunk SOAR

Description

Investigate an internal unix host using SSH. This pushes a bash script to the endpoint and runs it, collecting generic information about the processes, user activity, and network activity. This includes the process list, login history, cron jobs, and open sockets. The results are zipped up in .csv files and added to the vault for an analyst to review.

  • Type: Investigation
  • Product: Splunk SOAR
  • Apps: SSH
  • Last Updated: 2021-12-14
  • Author: Philip Royer, Splunk
  • ID: fdb65816-6688-41d8-8698-755b7b4ec44e

Associated Detections

How To Implement

The ssh asset requires sudo access to view the processes with open sockets.

Playbooks

Required field

Reference

source | version: 1