Confusion about winlog.process.pid and xcopy

nerio · February 5, 2024, 10:29am

Hello I would have 2 questions :

In an event id 1 (pcoess creation), what is the difference between the field winlog.process.pid (eg 2360) and the field process.pid (eg 6392) ?
Why did not the command "C:\Windows\System32\xcopy.exe" /s /i /e /h D:\review.dat C:\Users\EVAN~1.HUT\AppData\Local\Temp\review.dat" trigger an event id 11 ?

Cheers

system · March 4, 2024, 10:30am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filtering Windows Events - Beats winlogbeat	6	3901	June 15, 2017
Winlogbeat for windows 10 Beats winlogbeat	3	451	August 6, 2019
winlog.event_data.Image.keyword not populated Beats winlogbeat	3	751	November 18, 2021
Filter :Active Directory Event Beats winlogbeat	8	760	June 7, 2018
Duplicate Events in Kibana Beats winlogbeat	1	445	July 29, 2019