Splunk Search

Correlating Windows event 4688 logs on New_Process_ID and Creator_Process_ID

frbuser
Path Finder

How can I correlate Windows event 4688 logs to show a chain of processes that were that were started? Basically a process tree where each larger event consists of the first process, all sub processes launched, and all processes launched by those sub processes etc.

0 Karma

samjenk_2
Explorer

I'm pursuing a related problem in trying to build transactions between 4688 (process created) and 4689 (process terminated) events, so we can know precisely how long processes run. I'm looking into correlating these data and saving them to a summary index so they can be further correlated against other Windows logs using Process_ID, Process_Name, time, and host. Once you have results, do you plan on writing them out as distinct events (one event per process tree) in this manner? Especially for long-lived processes, I would think you'll need a way to maintain state on what child processes have been created.

0 Karma

securityguy10
New Member

I have been struggling to get a good query for this as well. However, I have been able to

index=main sourcetype="WinEventLog:Security" ComputerName=Test-PC EventCode=4688 | eval Dspace=" "|eval PIDName=New_Process_Name+Dspace+Dspace+New_Process_ID |transaction Creator_Process_ID | table _time EventCode ComputerName New_Process_Name New_Process_ID PIDName Creator_Process_ID Process_Command_Line

it will display every process create by a process ID...but you still need to go manual cross reference the Creator_Process_ID with the name of the process. Works well on an individual host over a short (24 hour) timeline.

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

<P style=" text-align: center; "><span class="lia-inline-image-display-wrapper lia-image-align-center" ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

<FONT size="5"><FONT size="5" color="#FF00FF">Get the latest news and updates from the Splunk Community ...