Parent Process ID [7.2]
The Parent Process ID of a system or application process that is of interest.
This field is not available in LogRhythm versions earlier than 7.2.1.
Data Type
String (16 characters)
Aliases
| Use | Alias |
|---|---|
Client Console Full Name | Parent Process ID |
Client Console Short Name | Parent Process ID |
Web Console Tab/Name | Application/Parent Process ID |
Elasticsearch Field Name | parentProcessId |
Rule Builder Column Name | ParentProcessID |
Regex Pattern | <parentprocessid> |
NetMon Name | Not applicable |
Field Relationships
- Parent Process Name
- Parent Process Path
- Process Name
- Process ID
- Object
- Object Name
- Object Type
- Session
- Session Type
Common Applications
- Endpoint devices (for example, Carbon Black)
- Windows logs
Use Case
Identifying that Office is the source for a PowerShell process that is malicious.
MPE/Data Masking Manipulations
Not applicable.
Usage Standards
Parse the most obvious meaningful parent ID, which is typically a top-level root.
Examples
- Windows Event Log - Sysmon
<Event xmlns='http://Host3/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{22222222-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>Information</Level><Task>Process Create (rule: ProcessCreate)</Task><Opcode>Info</Opcode><Keywords></Keywords><TimeCreated SystemTime='2016-09-19T17:50:20.719863700Z'/><EventRecordID>230097</EventRecordID><Correlation/><Execution ProcessID='3716' ThreadID='3740'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer> USABLDRRECFLOW01</Computer><Security UserID='NT AUTHORITY\SYSTEM'/></System><EventData>Process Create:UtcTime: 2016-09-19 17:50:20.718ProcessGuid: {FCC7BD93-255C-57E0-0000-00109BAC260D}ProcessId: 127228Image: C:\Windows\System32\Host2CommandLine: Host2 /c echo ffsuli > \\.\pipe\ffsuliCurrentDirectory: C:\Windows\system32\User: NT AUTHORITY\SYSTEMLogonGuid: {FCC7BD93-8F2C-57DC-0000-22222222222}LogonId: 0x3E7TerminalSessionId: 0IntegrityLevel: SystemHashes: SHA1=
811627E612944FE5DADF2A14763A08111143C27E
ParentProcessGuid: {FCC7BD93-8F2B-57DC-0000-222222222222}ParentProcessId: 504ParentImage: C:\Windows\System32\Host1ParentCommandLine: C:\Windows\system32\Host1</EventData></Event>
Parent Process ID is specifically called out in this log.
- Cb Response
08 30 2016 02:20:42 1.1.1.1 <USER:NOTE> LEEF:1.0|CB|CB|1.1.1.1623.1033|watchlist.storage.hit.process|cb_server=cbserver cb_version=1.1.1.1623.1033 childproc_count=1 cmdline=C:\\Windows\\system32\\cmd.exe /c ping provisionserver >nul 2>nul crossproc_count=1 filemod_count=0 host_type=workstation last_update=2016-08-30T08:02:01.670Z modload_count=11 netconn_count=0 os_type=windows parent_guid=222222222-0000-2010-01d2-0294ad4c889c parent_id=2222222222 parent_name=scsdiscovery.exe parent_pid=8208 parent_unique_id=222222-0000-2010-01d2-0294ad4c889c-2222222222 path=c:\\windows\\syswow64\\cmd.exe process_guid=000001c3-0000-097c-01d2-222222222 process_id=000001c3-0000-097c-01d2-22222222222 process_name=cmd.exe process_pid=2428 regmod_count=0 server_name=localhost.localdomain start=2016-08-30T08:01:24.874Z timestamp=1472548449.903 type=watchlist.storage.hit.process unique_id=000001c3-0000-097c-01d2-22222222222-00000001 username=SYSTEM watchlist_155=2016-08-30T09:10:02.525745Z watchlist_id=155 watchlist_name=Command Line
Parent_pid (Process ID) called out specifically.