I have been struggling to get a good query for this as well. However, I have been able to
index=main sourcetype="WinEventLog:Security" ComputerName=Test-PC EventCode=4688 | eval Dspace=" "|eval PIDName=New_Process_Name+Dspace+Dspace+New_Process_ID |transaction Creator_Process_ID | table _time EventCode ComputerName New_Process_Name New_Process_ID PIDName Creator_Process_ID Process_Command_Line
it will display every process create by a process ID...but you still need to go manual cross reference the Creator_Process_ID with the name of the process. Works well on an individual host over a short (24 hour) timeline.
... View more