Forum Discussion

jasonchrist's avatar
jasonchrist
Copper Contributor
Jun 22, 2022

Microsoft Sentinel Entity Mapping: Process - best practice

Dear Forum members,

 

A quick technical question i.r.t entity mapping for Process entity. Specifically in the context of DeviceProcessEvent/ Sysmon Event 1;

Understand that there are initiating/parent process and child/new process in those logs. 

When we map the 'Process' entity, do we map it against the parent process OR child process OR we do it for both? 

 

Thank you for your feedback/ response. 

No RepliesBe the first to reply

Resources