Parent Process Name [7.2]
The parent process name of a system or application process.
This field is not available in LogRhythm versions earlier than 7.2.1.
Data Type
String (255 characters maximum)
Aliases
| Use | Alias |
|---|---|
Client Console Full Name | Parent Process Name |
Client Console Short Name | Parent Process Name |
Web Console Tab/Name | Parent Process Name |
Elasticsearch Field Name | parentProcessName |
Rule Builder Column Name | ParentProcessName |
Regex Pattern | <parentprocessname> |
NetMon Name | Not applicable |
Field Relationships
- Parent Process ID
- Parent Process Path
- Process Name
- Process ID
- Object
- Object Name
- Object Type
- Session
- Session Type
Common Applications
- Endpoint devices (for example, Carbon Black)
- Windows logs
Use Case
Identifying that Office is the source for a PowerShell process that is malicious.
MPE/Data Masking Manipulations
Not applicable.
Usage Standards
- Parse the most obvious meaningful parent process (typically top-level root).
- Parent Process Name must match the Parent Process ID.
- Do not capture the process path in the name. That goes in Parent Process Path.
Examples
- Cb Response
08 30 2016 02:20:42 1.1.1.1 <USER:NOTE> LEEF:1.0|CB|CB|1.1.1.1623.1033|watchlist.storage.hit.process|cb_server=cbserver cb_version=1.1.1.1623.1033 childproc_count=1 cmdline=C:\\Windows\\system32\\cmd.exe /c ping provisionserver >nul 2>nul crossproc_count=1 filemod_count=0 host_type=workstation last_update=2016-08-30T08:02:01.670Z modload_count=11 netconn_count=0 os_type=windows parent_guid=000001c3-0000-2010-01d2-0294ad4c889c parent_id=7575139489275778785 parent_name=scsdiscovery.exe parent_pid=8208 parent_unique_id=000001c3-0000-2010-01d2-0294ad4c889c-22222222222 path=c:\\windows\\syswow64\\cmd.exe process_guid=000001c3-0000-097c-01d2-2222222222 process_id=000001c3-0000-097c-01d2-22222222222 process_name=cmd.exe process_pid=2428 regmod_count=0 server_name=localhost.localdomain start=2016-08-30T08:01:24.874Z timestamp=1472548449.903 type=watchlist.storage.hit.process unique_id=000001c3-0000-097c-01d2-222222222222-00000001 username=SYSTEM watchlist_155=2016-08-30T09:10:02.525745Z watchlist_id=155 watchlist_name=Command Line
Parent_Name is the parent process name in this instance.
- Windows Event Log - Sysmon
<Event xmlns='http://Host3/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>Information</Level><Task>Process Create (rule: ProcessCreate)</Task><Opcode>Info</Opcode><Keywords></Keywords><TimeCreated SystemTime='2016-09-19T17:50:20.719863700Z'/><EventRecordID>230097</EventRecordID><Correlation/><Execution ProcessID='3716' ThreadID='3740'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>LRXM</Computer><Security UserID='NT AUTHORITY\SYSTEM'/></System><EventData>Process Create:UtcTime: 2016-09-19 17:50:20.718ProcessGuid: {FCC7BD93-255C-57E0-0000-222222222222}ProcessId: 127228Image: C:\Windows\System32\Host2CommandLine: Host2 /c echo ffsuli > \\.\pipe\ffsuliCurrentDirectory: C:\Windows\system32\User: NT AUTHORITY\SYSTEMLogonGuid: {FCC7BD93-8F2C-57DC-0000-2222222222}LogonId: 0x3E7TerminalSessionId: 0IntegrityLevel: SystemHashes: SHA1=
811627E612944FE5DADF2A14763A08111143C27E
ParentProcessGuid: {FCC7BD93-8F2B-57DC-0000-22222222222}ParentProcessId: 504ParentImage: C:\Windows\System32\Host1ParentCommandLine: C:\Windows\system32\Host1</EventData></Event>
Obfuscated process name, but this would be appropriate for Parent Process Name.