Recommend adding the parent processes event_id field to all System module process events as well as socket events.
Having the parent processes event_id in a process and socket event would be extremely useful when conducting a forensic investigation using the System events. With this data it would be easy to create queries that quickly display all activity by a single process.
For example, in a windows domain with Sysmon I have built a kibana 'process investigation' dashboard for our SOC engineers where the engineer enters the Process Guid of the process under investigation to quickly see all activity from that processes. The dashboard is broken up into panels that display all child processes spawned, information about the parent process, all network connections, and any other events related to that process. I would like to create a similar dashboard for the Linux hosts in our domain that use the system module.
We do have a add_process_metadata processor some users configure to enrich events with parent process information. Can you try doing that and seeing if it works for you?
We made this modification to our config and I see the ppid value in the events, but not the entity_id of the parent process. If this is successful as I was hoping for I should see two entity_id fields in each process event, one for the process, and one for the parent process. Is that what I should be seeing or do I have an issue with my config?
There's no issue on your end. The processor doesn't add the entity ID. The entity ID is new idea that was added into Auditbeat's system module, but the add_process_metadata processor hasn't been enhanced to support it (this is a generic processor that is shared by all Beats).
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.