Hello! I have a PowerShell script that executes an encoded command that spawns some lolbin, let's say ipconfig. This is realized in Elastic as PowerShell spawning PowerShell, spawning ipconfig. I have an ES|QL detection that finds suspicious parent child processes, and am trying to tune the behavior. Is there a way to gather grandparent process information, if it is not in the original document?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.