x-pack/winlogbeat: add parent process ID to new process creation even…

…ts (#31102)

Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>

CHANGELOG.next.asciidoc

@@ -153,6 +153,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...main[Check the HEAD dif
 
 - Improve the error message when the registry file content is invalid. {pull}30543[30543]
 - Retry EvtSubscribe from start if fails with strict mode. {issue}29793[29793] {pull}30155[30155]
+- Add parent process ID to new process creation events. {issue}29237[29237] {pull}31102[31102]
 
 
 *Elastic Log Driver*

x-pack/winlogbeat/module/security/ingest/security.yml

@@ -2860,6 +2860,22 @@ processors:
           def parts = ctx.process.parent.executable.splitOnToken("\\");
           ctx.process.parent.put("name", parts[-1]);
         }
+        if (ctx?.winlog?.event_data?.ProcessId != null) {
+          if (ctx?.process == null) {
+            HashMap hm = new HashMap();
+            ctx.put("process", hm);
+          }
+          if (ctx?.process?.parent == null) {
+            HashMap hm = new HashMap();
+            ctx.process.put("parent", hm);
+          }
+          if (ctx.winlog.event_data.ProcessId instanceof String) {
+            Long pid = Long.decode(ctx.winlog.event_data.ProcessId);
+            ctx.process.parent.put("pid", pid.longValue());
+          } else {
+            ctx.process.parent.put("pid", ctx.winlog.event_data.ProcessId);
+          }
+        }
         if (ctx?.winlog?.event_data?.CommandLine != null) {
           int start = 0;
           int end = 0;

x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx.golden.json

@@ -32,7 +32,8 @@
       "name": "wevtutil.exe",
       "parent": {
         "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
-        "name": "powershell.exe"
+        "name": "powershell.exe",
+        "pid": 4652
       },
       "pid": 4556
     },