Forum Discussion
jasonchrist
Jun 22, 2022Copper Contributor
Microsoft Sentinel Entity Mapping: Process - best practice
Dear Forum members,
A quick technical question i.r.t entity mapping for Process entity. Specifically in the context of DeviceProcessEvent/ Sysmon Event 1;
Understand that there are initiating/parent process and child/new process in those logs.
When we map the 'Process' entity, do we map it against the parent process OR child process OR we do it for both?
Thank you for your feedback/ response.
No RepliesBe the first to reply