Querying sysmon event

I am new to elk and trying to understand what data modeling to use for my network.
what I am trying to achieve is a central databse that will group sysmon data from hosts over my network and querying that dataset to increase security issue detection.

I am now struggeling with correlating different sysmon events.
the goal is to recive the "Parent ID" of a process who has accessed an other process by a specific permission.
I would do that by searching for the permission via event id 10,
matching the process id to an event id 1 document to recive the parent process.

I guess the easy way is to write a python (or simmillar language) script with two search queries, but i would like to hear any other suggestions.

Thank You!

Sombody? any idea?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.