system,windows: generate files

elastic · Apr 1, 2022 · 2493a1b · 2493a1b
1 parent 4f13184
commit 2493a1b
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 4 deletions.
diff --git a/...rity/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json b/...rity/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json
@@ -45,7 +45,8 @@
                 "name": "wevtutil.exe",
                 "parent": {
                     "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
-                    "name": "powershell.exe"
+                    "name": "powershell.exe",
+                    "pid": 4652
                 },
                 "pid": 4556
             },
@@ -68,7 +69,6 @@
                 "event_data": {
                     "CommandLine": "\"C:\\Windows\\system32\\wevtutil.exe\" cl Security",
                     "MandatoryLabel": "S-1-16-12288",
-                    "ProcessId": "0x122c",
                     "SubjectDomainName": "VAGRANT",
                     "SubjectLogonId": "0x274a2",
                     "SubjectUserName": "vagrant",

diff --git a/packages/system/docs/README.md b/packages/system/docs/README.md
@@ -548,6 +548,7 @@ An example event for `security` looks as following:
 | process.name | Process name. Sometimes called program name or similar. | keyword |
 | process.parent.executable | Absolute path to the process executable. | keyword |
 | process.parent.name | Process name. Sometimes called program name or similar. | keyword |
+| process.parent.pid | Process id. | long |
 | process.pid | Process id. | long |
 | process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
 | related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword |

diff --git a/...rded/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json b/...rded/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json
@@ -45,7 +45,8 @@
                 "name": "wevtutil.exe",
                 "parent": {
                     "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
-                    "name": "powershell.exe"
+                    "name": "powershell.exe",
+                    "pid": 4652
                 },
                 "pid": 4556
             },
@@ -65,7 +66,6 @@
                 "event_data": {
                     "CommandLine": "\"C:\\Windows\\system32\\wevtutil.exe\" cl Security",
                     "MandatoryLabel": "S-1-16-12288",
-                    "ProcessId": "0x122c",
                     "SubjectDomainName": "VAGRANT",
                     "SubjectLogonId": "0x274a2",
                     "SubjectUserName": "vagrant",