Auditbeat System module: Add parent process entity_id field to process and socket events

Recommend adding the parent processes event_id field to all System module process events as well as socket events.

Having the parent processes event_id in a process and socket event would be extremely useful when conducting a forensic investigation using the System events. With this data it would be easy to create queries that quickly display all activity by a single process.

For example, in a windows domain with Sysmon I have built a kibana 'process investigation' dashboard for our SOC engineers where the engineer enters the Process Guid of the process under investigation to quickly see all activity from that processes. The dashboard is broken up into panels that display all child processes spawned, information about the parent process, all network connections, and any other events related to that process. I would like to create a similar dashboard for the Linux hosts in our domain that use the system module.

We do have a add_process_metadata processor some users configure to enrich events with parent process information. Can you try doing that and seeing if it works for you?

processors:
- add_process_metadata:
    match_pids: [process.ppid]
    target: process.parent

@andrewkroh don't believe this metadata works in the current versions on auditbeat6.7.

Auditbeat doesnt start when using it. Works in filebeat though.

What error do you get and what's the config you're trying (auditbeat export config)?

@andrewkroh, it does work now!

There was an error in processor indentation.

We made this modification to our config and I see the ppid value in the events, but not the entity_id of the parent process. If this is successful as I was hoping for I should see two entity_id fields in each process event, one for the process, and one for the parent process. Is that what I should be seeing or do I have an issue with my config?

There's no issue on your end. The processor doesn't add the entity ID. The entity ID is new idea that was added into Auditbeat's system module, but the add_process_metadata processor hasn't been enhanced to support it (this is a generic processor that is shared by all Beats).

Would you mind opening an enhancement request in the Github repo for this feature? https://github.com/elastic/beats/issues/new/choose

Opened as issue #11695

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.