Dear Forum members,

A quick technical question i.r.t entity mapping for Process entity. Specifically in the context of DeviceProcessEvent/ Sysmon Event 1;

Understand that there are initiating/parent process and child/new process in those logs. 

When we map the 'Process' entity, do we map it against the parent process OR child process OR we do it for both? 

Thank you for your feedback/ response.