Confusion about winlog.process.pid and xcopy

Elastic Observability
1

Hello I would have 2 questions :

  1. In an event id 1 (pcoess creation), what is the difference between the field winlog.process.pid (eg 2360) and the field process.pid (eg 6392) ?

  2. Why did not the command "C:\Windows\System32\xcopy.exe" /s /i /e /h D:\review.dat C:\Users\EVAN~1.HUT\AppData\Local\Temp\review.dat" trigger an event id 11 ?

Cheers

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.