yampelo
commented
5 years ago The reason for this is that sometimes, the information about the parent process doesn't actually exist in a windows security event log file. For example this event:
{
'data_name_commandline': '"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" '
'-s -NoLogo -NoProfile',
'data_name_newprocessid': '0x00000c50',
'data_name_newprocessname': 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe',
'data_name_processid': '0x0000011c',
'data_name_subjectdomainname': 'IE10WIN7',
'data_name_subjectlogonid': '0x000000000006793c',
'data_name_subjectusername': 'IEUser',
'data_name_subjectusersid': 'S-1-5-21-3463664321-2923530833-3546627382-1000',
'data_name_tokenelevationtype': '%%1937',
'eventid_qualifiers': '4688',
}This event shows process 0x0000011c spawning a powershell process ID with 0x00000c50.
Since this is the first event in this EVTX file, there's no way to get more information about the parent process (0x0000011c). That means I need to either decide to ignore it, or just give it "empty" values like you see above.
I chose to not drop it and give it an empty value as it makes the graph more complete, in your case, you still have the two outgoing edges from the 'empty' process. If I had dropped it, you wouldn't know the those two nodes are related/spawned by the same parent. If you click on it and view it in the side window, you'll actually see the information Beagle found on it (hashes/pid/etc)
I hope this explains why, this is only the case with WindowsEVTX files, because they do not give info about the parent in each event
szym3n
Hi,
When providing an evtx to the software, the nodes of the parent processes do not necessarily have a name because it is not specified in the transformer. This patch is used to display it.