nano SIEM
Search Commands

tree

tree

Visualize hierarchical relationships between events with optional prevalence enrichment.

Description

The tree command builds and displays hierarchical relationships from flat event data. Common use cases include process trees (parent-child process relationships) and web session flows (referrer chains). When a prevalence field is specified, each node is enriched with prevalence data to highlight rare or suspicious items.

Syntax

... | tree parent=<field> child=<field> label=<field> [detail=<field>] [prevalence=<field>] [root=<pattern>]

Preset Aliases

For common use cases, shorthand presets are available:

... | tree process [root=<pattern>]
... | tree web [root=<pattern>]
  • process - Equivalent to parent=parent_process_id child=process_id label=process_name detail=command_line prevalence=process_hash
  • web - Equivalent to parent=http_referrer child=url label=dest_host prevalence=dest_host

Required Arguments

parent Field containing the parent identifier (e.g., parent_process_id, referrer)

child Field containing the child identifier (e.g., process_id, url)

label Field to display as the node label (e.g., process_name, dest_host)

Optional Arguments

detail Field for additional detail text below each node (e.g., command_line, file_name)

prevalence Field to enrich with prevalence data (e.g., file_hash, domain). Adds prevalence_score, is_rare, host_count, first_seen, last_seen to each node.

root Filter to show only subtrees rooted at nodes matching this pattern. Supports wildcards and regex:

Wildcard patterns:

  • *text* - contains "text"
  • text* - starts with "text"
  • *text - ends with "text"
  • text - exact match (case-insensitive)

Regex patterns:

  • /pattern/ - matches using regular expression (case-insensitive)
  • /^cmd/ - starts with "cmd"
  • /\.exe$/ - ends with ".exe"
  • /wscript|cscript/ - matches "wscript" or "cscript"

The tree is built first, then filtered to show only matching subtrees with all their children.

Examples

Investigate cmd.exe process tree on a specific host

source_type=sysmon src_host="LAPTOP-HR01.corp.local" action=process_create process_name="*cmd.exe*"
| tree parent=parent_process_id child=process_id label=process_name detail=command_line prevalence=process_hash

This shows all cmd.exe spawns on a specific host with full command lines and prevalence badges highlighting rare executables.

Process tree from Sysmon

source_type=sysmon action=process_create
| tree parent=parent_process_id child=process_id label=process_name detail=command_line prevalence=process_hash

PowerShell execution tree

source_type=sysmon action=process_create process_name="*powershell*"
| tree parent=parent_process_id child=process_id label=process_name detail=command_line prevalence=process_hash

Web session flow

source_type=squid_proxy user="jsmith"
| tree parent=http_referrer child=url label=dest_host prevalence=dest_host

Using presets

source_type=sysmon action=process_create
| tree process
source_type=squid_proxy user="jsmith"
| tree web

Zoom into a specific subtree with root=

source_type=squid_proxy user="jsmith"
| tree web root="*github.com*"

This builds the full tree, then shows only subtrees where the root node's label contains "github.com".

Process tree rooted at cmd.exe

source_type=sysmon action=process_create
| tree process root="cmd.exe"

Process tree using regex (wscript or cscript)

source_type=sysmon action=process_create
| tree process root="/wscript|cscript/"

Investigate PowerShell activity on a specific host

source_type=sysmon action=process_create earliest=-5m src_host="LAPTOP-SALES01.corp.local"
| tree process root = /powershell/

This filters to recent process creation events on a specific host, then displays only subtrees rooted at PowerShell processes.

Basic process tree without prevalence

source_type=edr
| tree parent=ppid child=pid label=process_name

EDR process tree with command line details

source_type=edr action=process_create
| tree parent=parent_pid child=pid label=process_name detail=command_line

Usage Notes

Prevalence badges: When prevalence field is specified, nodes display:

  • [Rare] (red) - prevalence_score < 20 or is_rare=true
  • [Uncommon] (yellow) - prevalence_score 20-50
  • [Common] (green) - prevalence_score > 50

Root detection: Nodes with no matching parent become tree roots. The tree command automatically identifies orphan nodes and displays them as separate tree roots.

Performance: Works best with filtered result sets. Use search expressions to limit data before applying the tree command to avoid building very large trees.

Node interactions:

  • Click on a node label to add it as a filter to your search
  • Right-click on a node label to exclude it from your search
  • Hover over prevalence badges to see detailed prevalence information
  • Use "Expand all" / "Collapse all" buttons to navigate large trees

Display: The tree visualization shows:

  • Collapsible nodes with expand/collapse controls
  • Tree lines showing parent-child relationships
  • Node labels with optional detail text below
  • Prevalence badges inline with node labels

transaction

Previous Page

where

Next Page

Edit this page on GitHub
On this page

On this page

tree
Description
Syntax
Preset Aliases
Required Arguments
Optional Arguments
Examples
Investigate cmd.exe process tree on a specific host
Process tree from Sysmon
PowerShell execution tree
Web session flow
Using presets
Zoom into a specific subtree with root=
Process tree rooted at cmd.exe
Process tree using regex (wscript or cscript)
Investigate PowerShell activity on a specific host
Basic process tree without prevalence
EDR process tree with command line details
Usage Notes
Related Commands