In a similar fashion, we can observe how Process Aliasing and Enrichment applies to this NETWORK_CONNECTION event. Google SecOps used the principal.process.product_specific_process_id to find the original launch event for MpDefenderCoreService.exe. It then enriched this network event's principal.process object with the "whole process" data (like its PID, hash, and command line) and its parent process (services.exe)—all of which was missing from the original raw log.
| Enriched | UDM Key | UDM Value | Enrichment Source |
| U | metadata.product_log_id | 6e284d1b-2c2d-4baa-95ea-4a4c8f7909b7 | |
| U | metadata.event_timestamp.seconds | 1761740838 | |
| U | metadata.event_timestamp.nanos | 475000000 | |
| U | metadata.event_type | NETWORK_CONNECTION | |
| U | metadata.vendor_name | Crowdstrike | |
| U | metadata.product_name | Falcon | |
| U | metadata.product_event_type | NetworkConnectIP4 | |
| U | metadata.description | NetworkConnectIP4V13 | |
| U | metadata.ingested_timestamp.seconds | 1761741379 | |
| U | metadata.ingested_timestamp.nanos | 580295000 | |
| U | metadata.product_deployment_id | 7015a549d5a5464f894353a509408606 | |
| U | metadata.id | b"AAAAAOGGqmZEdsYQSgRKws0XXlwAAAAABgAAAA8AAAA | |
| U | metadata.log_type | CS_EDR | |
| U | metadata.base_labels.log_types | CS_EDR | |
| U | metadata.base_labels.allow_scoped_access | TRUE | |
| E | metadata.enrichment_labels.log_types | CS_EDR | Crowdstrike EDR |
| E | metadata.enrichment_labels.allow_scoped_access | TRUE | Crowdstrike EDR |
| U | metadata.parser_version | 19 | |
| U | additional.fields["ConfigStateHash"] | 2379858933 | |
| U | additional.fields["config_build"] | 1007.3.0019909.15 | |
| U | additional.fields["effective_transmission_class"] | 3 | |
| U | additional.fields["entitlements"] | 15 | |
| U | additional.fields["event_origin"] | 1 | |
| U | additional.fields["in_context"] | 0 | |
| U | principal.hostname | WINDOWS-KK | |
| U | principal.asset_id | CS:36aa340a3674438090696e3e3906419a | |
| E | principal.process.pid | 3492 | Crowdstrike EDR |
| E | principal.process.file.sha256 | 1732632b30b27dfe458f0f6d05f4e50b7dd6ccd892adc9aba091446bebe2200b | Crowdstrike EDR |
| U | principal.process.file.full_path | MpDefenderCoreService.exe | |
| E | principal.process.command_line | \C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.25090.3009-0\\MpDefenderCoreService.exe\"" | Crowdstrike EDR |
| U | principal.process.product_specific_process_id | CS:7015a549d5a5464f894353a509408606:36aa340a3674438090696e3e3906419a:313614810682 | |
| E | principal.process.parent_process.pid | 876 | Crowdstrike EDR |
| E | principal.process.parent_process.file.sha256 | 61480752127c47ea71a61217dd2d46fda104b0b48af9905ded6c607b946da3d1 | Crowdstrike EDR |
| E | principal.process.parent_process.file.full_path | \\Device\\HarddiskVolume3\\Windows\\System32\\services.exe | Crowdstrike EDR |
| E | principal.process.parent_process.command_line | C:\\Windows\\system32\\services.exe | Crowdstrike EDR |
| E | principal.process.parent_process.product_specific_process_id | CS:7015a549d5a5464f894353a509408606:36aa340a3674438090696e3e3906419a:313543611132 | Crowdstrike EDR |
| E | principal.process.parent_process.parent_process.product_specific_process_id | CS:7015a549d5a5464f894353a509408606:36aa340a3674438090696e3e3906419a:313540062826 | Crowdstrike EDR |
| U | principal.platform | WINDOWS | |
| U | principal.ip | 10.0.10.3 | |
| U | principal.port | 51537 | |
| U | principal.nat_ip | 34.31.105.68 | |
| U | principal.labels.key | in_context | |
| U | principal.labels.value | 0 | |
| U | target.ip | 20.50.80.214 | |
| U | target.port | 443 | |
| U | target.asset.ip | 20.50.80.214 | |
| U | about.resource.resource_type | CLOUD_ORGANIZATION | |
| U | about.resource.product_object_id | 7015a549d5a5464f894353a509408606 | |
| U | about.labels.key | entitlements | |
| U | about.labels.value | 15 | |
| U | about.labels.key | effective_transmission_class | |
| U | about.labels.value | 3 | |
| U | about.labels.key | config_build | |
| U | about.labels.value | 1007.3.0019909.15 | |
| U | about.labels.key | ConfigStateHash | |
| U | about.labels.value | 2379858933 | |
| U | network.ip_protocol | TCP | |
| U | network.direction | OUTBOUND |
Conclusion:
Process Aliasing and Enrichment is a powerful, automated feature in Google SecOps that solves the critical challenge of broken process chains and PID reuse. As we've seen, it's not magic—it's a clever and robust data-linking mechanism.
- Process Aliasing: The mechanism (linking the product_specific_process_id to a past event).
- Process Enrichment: The result (copying the "Whole process" data from that past event into the current event).
By leveraging the stable product_specific_process_id provided by EDR logs, Google SecOps maps this ID to its original PROCESS_LAUNCH event. This aliasing is what enables the powerful Process Enrichment you see in your UDM events.
- It Enriches the Entire Process: It copies the "whole process" data (like the file hash, command line, and integrity level) from the original launch event into the current event. As we saw with the Sysmon example, this allows you to search for a PROCESS_LAUNCH event using the hash of its parent process—a piece of data that was not in the original log.
- It Provides Parent-of-Parent Context: The feature automatically adds the principal.process.parent_process object, giving you immediate "one-level-up" visibility of the grandparent process without any manual correlation.
- It Works on All Event Types: This enrichment applies to any UDM event, not just PROCESS_LAUNCH. You can now investigate a NETWORK_CONNECTION event and immediately see the full, enriched details of the process that initiated it and its parent.
- It Powers High-Fidelity Detections: All these enriched fields are fully searchable and available in YARA-L. You can now write detection rules that are far more resilient and context-aware, such as:
- Alerting on a NETWORK_CONNECTION where the principal.process.parent_process.file.names is pwsh.exe.
- Searching for file modifications where the principal.process.file.sha256 matches a known-bad hash.
Ultimately, Process Aliasing and Enrichment quietly transforms raw, disconnected EDR logs into a highly-connected, context-rich dataset. By understanding how this works, you can start building more powerful detections and supercharge your threat-hunting workflows.
