Adapting ECS process field set for a process tree?

We have a system sending alerts on process activity. The alert contains an entire process tree related to the offending process - the parent process, grand parent proces, etc.

The ECS process field set has a parent node, process.parent, under which process fields can be nested. Does parent nesting allow for multiple generations of parents, e.g. process.parent.parent and process.parent.parent.parent?

The alert that my system generates looks something like this

{
    "alert_id": 1234,
    "alert_type" : "unexpected process",
    "properties": {
        "args": "\"D:\\program1.exe\" ",
        "pid": 1788,
        "ppid": 6832,
        "start_time": "2021-05-17T13:10:39Z",
        "user": "NT AUTHORITY\\SYSTEM",
        "parent": {
            "args": "\"D:\\program2.exe\"",
            "pid": 6832,
            "ppid": 744,
            "start_time": "2021-05-17T04:20:56Z",
            "user": "NT AUTHORITY\\SYSTEM",
            "parent": {
                "args": "C:\\WINDOWS\\system32\\services.exe",
                "pid": 744,
                "ppid": 604,
                "start_time": "2021-05-17T04:20:06Z",
                "user": "NT AUTHORITY\\SYSTEM"
            }
        }
    }
}

Could this be mapped to an ECS event that includes the entire process tree like below?

{
    "event" : {
        "id" : 1234,
        "dataset" :"systemx",
        "kind" : "alert",
        "reason" : "unexpected process"
    },
    "process" : {
        "args": "\"D:\\program1.exe\" ",
        "name": "program1.exe",
        "pid": 1788,
        "ppid": 6832,
        "start": "2021-05-17T13:10:39Z",
        "parent": {
            "args": "\"D:\\program2.exe\"",
            "name": "program2.exe",
            "pid": 6832,
            "ppid": 744,
            "start": "2021-05-17T04:20:56Z",
            "parent": {
                "args": "C:\\WINDOWS\\system32\\services.exe",
                "name" : "services.exe",
                "pid": 744,
                "ppid": 604,
                "start": "2021-05-17T04:20:06Z",
            }
        }
    }
}

Hi @Gerry7 !

Great question. Unfortunately process.* is only nested as process.parent.* once in ECS. If you want to be able to have a 'grandparent' process, you'd need to create a custom field. The ecs docs have some good information about our recommendations for custom fields, such as capitalization (so you'd have process.parent.Parent).

Not quite related to your ask, but in the security app analyzer, we do stitch together process trees from multiple events. See here for the docs.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.