Newbie here.
Trying to figure out how to query to find grandparent processes of child processes by using parent process info in windows logs.
I have a list of child processes with host info (hostname) and parent process (pid, path, timestamp of child process creation ) info. A single host may have several processes in the list. So, in order to find grant parent processes efficiently, thought to create a query per host rather than to call an API for each process (in which case I could sort by @timestamp and equate size to 1).
For instance, below is a query to find grant parent process by using parent processes info (in this case there are two parent processes) for a host computer1.
The problem is, this query may return more than 100 of results, as same process could be created by same parent process with same pid several times through out available logs, honestly did not expect this possibility.
So, the question is how could I find the most recent document for each given group of criteria (pid, executable, @timestamp)?
GET winlogbeat-*/_search
{
"query": {
"bool": {
"filter": [
{
"term": {
"event.code": "4688"
}
},
{
"term": {
"winlog.computer_name": "computer1"
}
},
{
"bool": {
"should": [
{
"bool": {
"filter": [
{
"term": {
"process.pid": 1234
}
},
{
"term": {
"process.executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
}
},
{
"range": {
"@timestamp": {
"lt": 1608755400174
}
}
}
]
}
},
{
"bool": {
"filter": [
{
"term": {
"process.pid": 5678
}
},
{
"term": {
"process.executable": "C:\\Program Files\\Java\\jre1.8.0_271\bin\\java.exe"
}
},
{
"range": {
"@timestamp": {
"lt": 1608757200174
}
}
}
]
}
}
],
"minimum_should_match": 1
}
}
]
}
},
"docvalue_fields": [
{
"field": "@timestamp",
"format": "epoch_millis"
}
],
"_source": [
"message",
"event.code",
"process.parent.executable",
"winlog.event_data.ProcessId",
"process.executable",
"process.name",
"process.pid",
"user.name",
"winlog.event_data.TargetUserName",
"winlog.event_data.CommandLine"
],
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
]
}