Corrolating Process and Network Connections

[OlexTratisky]

Hello,

I have a Hunt question. I have a process that is establishing a network connection to a given host.

The process.exe is seen correctly in the hunt interface by the sysmon module.

Looking at that event i would like to dig deeper and see the network connection established from that process. What parameter i that event should i use to corrolate the process event to the networkevent?

I tried to check on the PID since both share the same PID but the networkevent is not seen in the events tab

[dougburks]

I just tested and was able to correlate from a process_creation event to the corresponding network_connection event using the process.pid field. You might also try the process.executable field. If neither of those work for you, then you might want to check your sysmon configuration and make sure it is logging what you expect.