From 6c32e78dcbfae1a0aa4cbf8fb2bba3aadad1af86 Mon Sep 17 00:00:00 2001
From: Dan Kortschak <90160302+efd6@users.noreply.github.com>
Date: Wed, 6 Apr 2022 12:30:09 +0930
Subject: [PATCH] x-pack/winlogbeat: add parent process ID to new process
 creation events (#31102)

Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
---
 CHANGELOG.next.asciidoc                          |  1 +
 .../module/security/ingest/security.yml          | 16 ++++++++++++++++
 ...ows2019_4688_Process_Created.evtx.golden.json |  3 ++-
 3 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 02b3f47d520..2ee0be2934d 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -153,6 +153,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...main[Check the HEAD dif
 
 - Improve the error message when the registry file content is invalid. {pull}30543[30543]
 - Retry EvtSubscribe from start if fails with strict mode. {issue}29793[29793] {pull}30155[30155]
+- Add parent process ID to new process creation events. {issue}29237[29237] {pull}31102[31102]
 
 
 *Elastic Log Driver*
diff --git a/x-pack/winlogbeat/module/security/ingest/security.yml b/x-pack/winlogbeat/module/security/ingest/security.yml
index 7681693f253..0a71838ae85 100644
--- a/x-pack/winlogbeat/module/security/ingest/security.yml
+++ b/x-pack/winlogbeat/module/security/ingest/security.yml
@@ -2860,6 +2860,22 @@ processors:
           def parts = ctx.process.parent.executable.splitOnToken("\\");
           ctx.process.parent.put("name", parts[-1]);
         }
+        if (ctx?.winlog?.event_data?.ProcessId != null) {
+          if (ctx?.process == null) {
+            HashMap hm = new HashMap();
+            ctx.put("process", hm);
+          }
+          if (ctx?.process?.parent == null) {
+            HashMap hm = new HashMap();
+            ctx.process.put("parent", hm);
+          }
+          if (ctx.winlog.event_data.ProcessId instanceof String) {
+            Long pid = Long.decode(ctx.winlog.event_data.ProcessId);
+            ctx.process.parent.put("pid", pid.longValue());
+          } else {
+            ctx.process.parent.put("pid", ctx.winlog.event_data.ProcessId);
+          }
+        }
         if (ctx?.winlog?.event_data?.CommandLine != null) {
           int start = 0;
           int end = 0;
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx.golden.json
index 0b5f968db41..6290dc3226a 100644
--- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx.golden.json
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx.golden.json
@@ -32,7 +32,8 @@
       "name": "wevtutil.exe",
       "parent": {
         "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
-        "name": "powershell.exe"
+        "name": "powershell.exe",
+        "pid": 4652
       },
       "pid": 4556
     },