Recommend adding the parent processes event_id field to all System module process events as well as socket events.
Having the parent processes event_id in a process and socket event would be extremely useful when conducting a forensic investigation using the System events. With this data it would be easy to create queries that quickly display all activity by a single process.
For example, in a windows domain with Sysmon I have built a kibana 'process investigation' dashboard for our SOC engineers where the engineer enters the Process Guid of the process under investigation to quickly see all activity from that processes. The dashboard is broken up into panels that display all child processes spawned, information about the parent process, all network connections, and any other events related to that process. I would like to create a similar dashboard for the Linux hosts in our domain that use the system module.