TL;DR - I want a query to search through Windows Security Event Logs (Type 4688 - A new process has been created) and return all processes along with their parent process name sorted by host. This will eventually be a dashboard for any process that violates common parent/child relationships (ie. lsass.exe started by calc.exe).
Problem:
Windows Security Event Logs do not record the name of the parent process of newly started processes (Type 4688) only the hex value of the Parent Process ID (Creator_Process_ID). But because I have these logs, I can manually use the Creator_Process_ID and find the event that has the same host and a New_Process_ID value that matches the Creator_Process_ID from the event in question.
I have created two separate queries:
One that returns all processes along with their associated host and process ID
index=wineventlog sourcetype=WinEventLog:Security EventCode=4688 | rename New_Process_ID as PID host as Source New_Process_Name as Process | dedup PID Source | table PID Source Process
A second that returns all processes along with their associated Creator_Process_ID
index=wineventlog sourcetype=WinEventLog:Security EventCode=4688 New_Process_Name=*smss.exe | table host New_Process_Name Creator_Process_ID
I now need to figure out how to map the Creator_Process_ID from the second query to the name of the process from that host/PID from the first query. I have tried some JOIN queries but am not knowledgeable enough in such things to know if that is even the right approach.
Thanks for the help.
... View more