Unusual Parent-Child Relationship Query and process parent hyphen value


I'm noticing a large amount of detections on the "Unusual Parent-Child Relationship" detection rule whichs seems to be related to the fact that some processes don't have a parent process. Data source are sysmon forwarded events.

The query which looks like this:

signal.rule.query: "event.category:process and event.type:(start or process_started) and process.parent.executable:* and (
	process.parent.name:autochk.exe and not process.name:(chkdsk.exe or doskey.exe or WerFault.exe) or 
	process.parent.name:smss.exe and not process.name:(autochk.exe or smss.exe or csrss.exe or wininit.exe or winlogon.exe or WerFault.exe) or 
	process.name:autochk.exe and not process.parent.name:smss.exe or process.name:(fontdrvhost.exe or dwm.exe) and not process.parent.name:(wininit.exe or winlogon.exe) or
	process.name:(consent.exe or RuntimeBroker.exe or TiWorker.exe) and not process.parent.name:svchost.exe or 
	process.name:wermgr.exe and not process.parent.name:(svchost.exe or TiWorker.exe) or 
	process.name:SearchIndexer.exe and not process.parent.name:services.exe or 
	process.name:SearchProtocolHost.exe and not process.parent.name:(SearchIndexer.exe or dllhost.exe) or 
	process.name:dllhost.exe and not process.parent.name:(services.exe or svchost.exe) or 
	process.name:smss.exe and not process.parent.name:(System or smss.exe) or 
	process.name:csrss.exe and not process.parent.name:(smss.exe or svchost.exe) or 
	process.name:wininit.exe and not process.parent.name:smss.exe or 
	process.name:winlogon.exe and not process.parent.name:smss.exe or 
	process.name:(lsass.exe or LsaIso.exe) and not process.parent.name:wininit.exe or 
	process.name:LogonUI.exe and not process.parent.name:(wininit.exe or winlogon.exe) or 
	process.name:services.exe and not process.parent.name:wininit.exe or 
	process.name:svchost.exe and not process.parent.name:(MsMpEng.exe or services.exe) or 
	process.name:spoolsv.exe and not process.parent.name:services.exe or 
	process.name:taskhost.exe and not process.parent.name:(services.exe or svchost.exe) or 
	process.name:taskhostw.exe and not process.parent.name:(services.exe or svchost.exe) or 
	process.name:userinit.exe and not process.parent.name:(dwm.exe or winlogon.exe)

Is looking for events where process.parent.executable:*. But processes which don't have a parent process have a hyphen as value.

For example:

So am I correct thinking that the query should be updated so that it ignore events where process.parent.executable : "-"?

For example:

event.category:process and event.type:(start or process_started) and process.parent.executable:* and not process.parent.executable:"-" and ...

Or am I missing something?



Which agent/beat is outputting the dash in the data set. I do not remember a beat/agent doing that before but would like to know which one it is.

I asked around and this rule has been converted to EQL for the upcoming 7.next release. You should be able to try out a custom rule with the same EQL within 7.10 today using that repo's test commands and then see if this fixes you for a custom rule as a workaround for now.


Thanks for your answer @Frank_Hassanabad

The agent we are using is Elastic and Winlogbeat 7.9.2, which has been installed on the WEF collector and uses the sysmon module. I also do not know where the dash is added.

Example event:

  "_index": "winlogbeat-7.9.2-2020.12.14-000059",
  "_type": "_doc",
  "_id": "yGWZYnYKgRcrpJ2",
  "_version": 1,
  "_score": null,
  "_source": {
    "@timestamp": "2020-12-14T18:51:16.118Z",
    "winlog": {
      "channel": "Microsoft-Windows-Sysmon/Operational",
      "provider_name": "Microsoft-Windows-Sysmon",
      "task": "Process Create (rule: ProcessCreate)",
      "version": 5,
      "user": {
        "identifier": "S-1-5-18",
        "name": "SYSTEM",
        "domain": "NT AUTHORITY",
        "type": "User"
      "event_data": {
        "Product": "Microsoft® Windows® Operating System",
        "LogonGuid": "{a65d432e-b424-5fd7-e703-000000000000}",
        "FileVersion": "10.0.18362.387 (WinBuild.160101.0800)",
        "OriginalFileName": "WinInit.exe",
        "IntegrityLevel": "System",
        "TerminalSessionId": "0",
        "Description": "Windows Start-Up Application",
        "Company": "Microsoft Corporation",
        "LogonId": "0x3e7",
        "RuleName": "-"
      "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
      "process": {
        "pid": 5040,
        "thread": {
          "id": 7436
      "record_id": 93980,
      "api": "wineventlog",
      "computer_name": "CP960",
      "event_id": 1
    "user": {
      "domain": "NT AUTHORITY",
      "name": "SYSTEM"
    "related": {
      "user": "SYSTEM",
      "hash": [
    "log": {
      "level": "information"
    "ecs": {
      "version": "1.5.0"
    "message": "Process Create:\nRuleName: -\nUtcTime: 2020-12-14 18:51:16.118\nProcessGuid: {a65d432e-b424-5fd7-0800-000000005c00}\nProcessId: 928\nImage: C:\\Windows\\System32\\wininit.exe\nFileVersion: 10.0.18362.387 (WinBuild.160101.0800)\nDescription: Windows Start-Up Application\nProduct: Microsoft® Windows® Operating System\nCompany: Microsoft Corporation\nOriginalFileName: WinInit.exe\nCommandLine: wininit.exe\nCurrentDirectory: C:\\Windows\\system32\\\nUser: NT AUTHORITY\\SYSTEM\nLogonGuid: {a65d432e-b424-5fd7-e703-000000000000}\nLogonId: 0x3E7\nTerminalSessionId: 0\nIntegrityLevel: System\nHashes: MD5=E83650F70459A027AA596E1A73C961A1,SHA256=D5E122606054FA0B03DB3EE8CF9EA7701E523875E2BDB87581AD7232FFC9308E,IMPHASH=43BBE267E832982296370A326A7AC134\nParentProcessGuid: {00000000-0000-0000-0000-000000000000}\nParentProcessId: 572\nParentImage: -\nParentCommandLine: -",
    "process": {
      "name": "wininit.exe",
      "hash": {
        "md5": "e83650f70459a027aa596e3c961a1",
        "sha256": "d5e122606054fa0b03dbea7701e523875e2bdb87581ad7232ffc9308e"
      "pid": 928,
      "executable": "C:\\Windows\\System32\\wininit.exe",
      "command_line": "wininit.exe",
      "args": [
      "pe": {
        "imphash": "43bbe267e83270a326a7ac134"
      "entity_id": "{a65d432e-b424-5fd7-0800-00005c00}",
      "working_directory": "C:\\Windows\\system32\\",
      "parent": {
        "args": [
        "entity_id": "{00000000-0000-0000-0000-000000000000}",
        "pid": 572,
        "executable": "-",
        "command_line": "-",
        "name": "-"
    "event": {
      "created": "2020-12-14T18:53:26.563Z",
      "module": "sysmon",
      "type": [
      "category": [
      "kind": "event",
      "code": 1,
      "provider": "Microsoft-Windows-Sysmon",
      "action": "Process Create (rule: ProcessCreate)"
    "host": {
      "name": "CP96"
    "tags": [
    "hash": {
      "md5": "e83650aa596e1a73c961a1",
      "sha256": "d5e122606054fa81ad7232ffc9308e",
      "imphash": "43bbe267e296370a326a7ac134"
  "fields": {
    "@timestamp": [
    "event.created": [
  "highlight": {
    "process.name": [
    "event.provider": [
  "sort": [

As you can see process.parent.name has a dash as value? This is just one example, I made a list of all sysmon process events (based on imphash) of the last 7 days where process.parent.name has a '-' as value:

This is only a small percentage, most sysmon process events do have a value.

Checked the 7.11 version of the rule and the EQL query should indeed fix my problem. Unfortunately I will not have the time to update to 7.10.1 untill mid January.

Best regards,


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.