Breadcrumbs

Parent Process Path [7.2]


The full path of a parent process of a system or application process.

This field is not available in LogRhythm versions earlier than 7.2.1.

Data Type

String (892 characters maximum)

Aliases

Use

Alias

Client Console Full Name

Parent Process Path

Client Console Short Name

Parent Process Path

Web Console Tab/Name

Parent Process Path

Elasticsearch Field Name

parentProcessPath

Rule Builder Column Name

ParentProcessPath

Regex Pattern

<parentprocesspath>

NetMon Name

Not applicable

Field Relationships

  • Parent Process ID

  • Parent Process Name

  • Process Name

  • Process ID

  • Object

  • Object Name

  • Object Type

  • Session

  • Session Type

Common Applications

  • Endpoint devices (for example, Carbon Black)

  • Windows logs

Use Case

  • Identifying where parent executing process resides on target device.

  • Tracking malware installation locations.

MPE/Data Masking Manipulations

Not applicable.

Usage Standards

  • Parent process path must match the parent process ID/name. 

  • Do not capture the process path in this field, only the parent process path.

  • Parse out the OS-dependent path using whichever separators are native to that OS.

Examples

  • Windows Event Log - Sysmon

<Event xmlns='http://Host3/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{2222222222-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>Information</Level><Task>Process Create (rule: ProcessCreate)</Task><Opcode>Info</Opcode><Keywords></Keywords><TimeCreated SystemTime='2016-09-19T17:50:20.719863700Z'/><EventRecordID>230097</EventRecordID><Correlation/><Execution ProcessID='3716' ThreadID='3740'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>LRXM</Computer><Security UserID='NT AUTHORITY\SYSTEM'/></System><EventData>Process Create:
UtcTime: 2016-09-19 17:50:20.718
ProcessGuid: {FCC7BD93-255C-57E0-0000-22222222222}
ProcessId: 127228
Image: C:\Windows\System32\Host2
CommandLine: Host2 /c echo ffsuli > \\.\pipe\ffsuli
CurrentDirectory: C:\Windows\system32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {2222222222-8F2C-57DC-0000-2222222}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA1=

811627E612944FE5DADF2A14763A08111143C27E

ParentProcessGuid: {22222222222-8F2B-57DC-0000-2222222222222}
ParentProcessId: 504
ParentImage: C:\Windows\System32\Host1
ParentCommandLine: C:\Windows\system32\Host1</EventData></Event>

ParentImage contains a path to the parent process.