ParentProcess GUID Drilldown
This page provides an overview of all indicators related to the GUID of the Parent Process within the specified timeframe. Default this is set to the last 24 hours, but can be changed to whatever is preferred.
- On the top left there is a force directed graph depicting all processes spawned under the GUID. Most of the time this is only one process, however under certain injection conditions a second process might be visible.
- Next to that there is a Sankey diagram which displays all child processes as well as a potential parent of the current parent. (currently I have not figured out how to efficiently generate a full process tree in Splunk)
- Below is a dynamic part, equal to the ATT&CK overview, built up per event type, whenever there is a result there will be tables visible for the following event types;
- Process Create
- Process Access
- File Create
- Image Loaded
- Network Connection
- Registry Access
- Pipe Connected
- WMI
- At the bottom there is a panel with all related raw events. Once unfolded there are several workflow actions for the fields.
Like the ATT&CK overview, all fields per line are clickable and have specific drilldown actions most are equal for all event types but there are a few specific ones.
| field name | action | description |
|---|---|---|
| _time | whitelist | This will open the event type specific whitelist editor and fill it with the relevant fields |
| ID | MITRE technique | This will navigate to this specific ATT&CK technique description in the framework |
| Technique | MITRE technique | This will navigate to this specific ATT&CK technique description in the framework |
| Category | category | This will navigate to this specific Category overview in the framework |
| host_fqdn | computer drilldown | This will open the Computer Drilldown dashboard, which will show all indicators for that host |
| user_name | user drilldown | This will open the User Drilldown dashboard, which will show all user interactions |
| process_parent_guid | ParentProcess Drildown | This will open the ParentProcess GUID drilldown and search for the clicked guid |
| process_guid | Process Drildown | This will open the Process GUID drilldown and search for the clicked guid |
| hash_256 | Virustotal | This will search for the clicked hash on VirusTotal |
| src_ip | network drilldown | This will open the Network Drilldown dashboard and search for the clicked IP address |
| dst_ip | network drilldown | This will open the Network Drilldown dashboard and search for the clicked IP address |
| all other fields | table default action | This will open the ParentProcess or Process GUID drilldown depending on the event type |