List Processes using Splunk SIEM

The Kill Process Alert Action remotely lists the processes that are running on the specified device.

Example: If an Analytics alert did not terminate the process, identify whether the suspicious process is still running on the device.

Note: See also Live Response API.

Credential type: Custom

Note: The credential type changed with Splunk SIEM 2.0.0. A new API key is required. See Before you Upgrade from Splunk SIEM 1.x to 2.x.x.

Configuration:

Device ID Field: The field name in the search results that contains the device ID upon which to list processes.