Break recursion, define parent and grandparents

dictionary.json

@@ -2099,6 +2099,11 @@
       "description": "The given or first name of the user.",
       "type": "string_t"
     },
+    "grandparent_process": {
+      "caption": "Grandparent Process",
+      "description": "The Grandparent Process object signifies the originating process that indirectly initiates a chain of descendant processes. By tracing back through Parent Processes, the Grandparent Process object helps to map out the broader process tree, establishing a clearer picture of process lineage and inheritance.",
+      "type": "grandparent_process"
+    },
     "group": {
       "caption": "Group",
       "description": "The group object associated with an entity such as user, policy, or rule.",
@@ -3196,8 +3201,8 @@
     },
     "parent_process": {
       "caption": "Parent Process",
-      "description": "The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting.",
-      "type": "process"
+      "description": "The Parent Process object represents the process that initiates or spawns a new child process. This object tracks the lineage and origin of child processes, providing visibility into the hierarchical structure of process execution.",
+      "type": "parent_process"
     },
     "path": {
       "caption": "Path",

objects/grandparent_process.json

@@ -0,0 +1,76 @@
+{
+  "caption": "Grandparent Process",
+  "description": "The Grandparent Process object signifies the originating process that indirectly initiates a chain of descendant processes. By tracing back through Parent Processes, the Grandparent Process object helps to map out the broader process tree, establishing a clearer picture of process lineage and inheritance. Defined by D3FEND <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:Process/'>d3f:Process</a>.",
+  "extends": "_entity",
+  "name": "grandparent_process",
+  "observable": 25,
+  "profiles": [
+    "container"
+  ],
+  "attributes": {
+    "$include": [
+      "profiles/container.json"
+    ],
+    "cmd_line": {
+      "requirement": "recommended"
+    },
+    "created_time": {
+      "description": "The time when the process was created/started.",
+      "requirement": "recommended"
+    },
+    "file": {
+      "description": "The process file object.",
+      "requirement": "recommended"
+    },
+    "integrity": {
+      "requirement": "optional"
+    },
+    "integrity_id": {
+      "requirement": "optional"
+    },
+    "lineage": {
+      "requirement": "optional"
+    },
+    "loaded_modules": {
+      "requirement": "optional"
+    },
+    "name": {
+      "description": "The friendly name of the process, for example: <code>Notepad++</code>.",
+      "type": "process_name_t"
+    },
+    "pid": {
+      "requirement": "recommended"
+    },
+    "sandbox": {
+      "requirement": "optional"
+    },
+    "session": {
+      "description": "The user session under which this process is running.",
+      "requirement": "optional"
+    },
+    "terminated_time": {
+      "description": "The time when the process was terminated.",
+      "requirement": "optional"
+    },
+    "tid": {
+      "requirement": "optional"
+    },
+    "uid": {
+      "description": "A unique identifier for this process assigned by the producer (tool).  Facilitates correlation of a process event with other events for that process."
+    },
+    "user": {
+      "description": "The user under which this process is running.",
+      "requirement": "recommended"
+    },
+    "xattributes": {
+      "description": "An unordered collection of zero or more name/value pairs that represent a process extended attribute.",
+      "requirement": "optional"
+    }
+  },
+  "constraints": {
+    "at_least_one": [
+      "pid",
+      "uid"
+    ]
+  }
+}

objects/parent_process.json

@@ -0,0 +1,76 @@
+{
+  "caption": "Parent Process",
+  "description": "The Parent Process object represents the process that initiates or spawns a new child process. This object tracks the lineage and origin of child processes, providing visibility into the hierarchical structure of process execution. Defined by D3FEND <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:Process/'>d3f:Process</a>.",
+  "extends": "_entity",
+  "name": "parent_process",
+  "observable": 25,
+  "profiles": [
+    "container"
+  ],
+  "attributes": {
+    "$include": [
+      "profiles/container.json"
+    ],
+    "cmd_line": {
+      "requirement": "recommended"
+    },
+    "created_time": {
+      "description": "The time when the process was created/started.",
+      "requirement": "recommended"
+    },
+    "file": {
+      "description": "The process file object.",
+      "requirement": "recommended"
+    },
+    "integrity": {
+      "requirement": "optional"
+    },
+    "integrity_id": {
+      "requirement": "optional"
+    },
+    "lineage": {
+      "requirement": "optional"
+    },
+    "loaded_modules": {
+      "requirement": "optional"
+    },
+    "name": {
+      "description": "The friendly name of the process, for example: <code>Notepad++</code>.",
+      "type": "process_name_t"
+    },
+    "pid": {
+      "requirement": "recommended"
+    },
+    "sandbox": {
+      "requirement": "optional"
+    },
+    "session": {
+      "description": "The user session under which this process is running.",
+      "requirement": "optional"
+    },
+    "terminated_time": {
+      "description": "The time when the process was terminated.",
+      "requirement": "optional"
+    },
+    "tid": {
+      "requirement": "optional"
+    },
+    "uid": {
+      "description": "A unique identifier for this process assigned by the producer (tool).  Facilitates correlation of a process event with other events for that process."
+    },
+    "user": {
+      "description": "The user under which this process is running.",
+      "requirement": "recommended"
+    },
+    "xattributes": {
+      "description": "An unordered collection of zero or more name/value pairs that represent a process extended attribute.",
+      "requirement": "optional"
+    }
+  },
+  "constraints": {
+    "at_least_one": [
+      "pid",
+      "uid"
+    ]
+  }
+}

objects/process.json

@@ -41,6 +41,9 @@
     "parent_process": {
       "requirement": "recommended"
     },
+    "grandparent_process": {
+      "requirement": "optional"
+    },
     "pid": {
       "requirement": "recommended"
     },