Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Correlating Windows event 4688 logs on New_Process_ID and Creator_Process_ID

frbuser
Path Finder
‎01-31-2019 01:39 PM

How can I correlate Windows event 4688 logs to show a chain of processes that were that were started? Basically a process tree where each larger event consists of the first process, all sub processes launched, and all processes launched by those sub processes etc.

0 Karma
Reply

samjenk_2
Explorer
‎07-09-2019 09:08 AM

I'm pursuing a related problem in trying to build transactions between 4688 (process created) and 4689 (process terminated) events, so we can know precisely how long processes run. I'm looking into correlating these data and saving them to a summary index so they can be further correlated against other Windows logs using Process_ID, Process_Name, time, and host. Once you have results, do you plan on writing them out as distinct events (one event per process tree) in this manner? Especially for long-lived processes, I would think you'll need a way to maintain state on what child processes have been created.

0 Karma
Reply

securityguy10
New Member
‎02-14-2019 04:31 AM

I have been struggling to get a good query for this as well. However, I have been able to

index=main sourcetype="WinEventLog:Security" ComputerName=Test-PC EventCode=4688 | eval Dspace=" "|eval PIDName=New_Process_Name+Dspace+Dspace+New_Process_ID |transaction Creator_Process_ID | table _time EventCode ComputerName New_Process_Name New_Process_ID PIDName Creator_Process_ID Process_Command_Line

it will display every process create by a process ID...but you still need to go manual cross reference the Creator_Process_ID with the name of the process. Works well on an individual host over a short (24 hour) timeline.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...