- Stage: 0 (strawperson)
- Date: 2021-05-03
The process.ppid field has been part of ECS since 1.0.0. The process.parent.* fields were later introduced in ECS 1.3.0, including process.parent.pid. Both fields serve the same purpose: capture the process identifier (PID) of a process' parent.
There's no need to have two fields capturing the same value, and to avoid duplication or user confusion, one of the fields should be removed. With all of the parent process fields are now included in ECS with the process.parent.* nesting, process.ppid could be deprecated and then later removed.
- ECS
1.x: Indicate thatprocess.ppidis deprecated in the fields description in an upcoming ECS minor release. Advise sources populatingprocess.ppidto transition toprocess.parent.idinstead. - Next ECS major: Remove
process.ppidfield in the next ECS major release.
New processes are typically spawned directly from their parent, or calling, process. Capturing the parent pid (PPID) has many applications:
- Modeling process hierarchy
- Attackers may try to start a process with an arbitrary parent process set. Capturing the PPID value helps identify if an attacker is attempting privilege escalation through PPID spoofing.
- Collecting PPID as a possible datapoint to help with the observability of a system.
Users will still be able to capture the PPID in the process.parent.pid field. Having the one single field available should hep improve the experience for anyone trying to capture PPIDs from their events.
process.ppid is actively populated across several data sources:
- APM Server and agents
- Beats modules
- Beats
add_process_metadataprocessor - Elastic agent integration packages
APM, Beats, Elastic Agent, and any processors that populate process.ppid today will need to be identified and a migration plan to process.parent.pid established.
The security detection rules repo will need audited. Any usage of process.ppid should ideally migrate to process.parent.id.
Since capturing the PPID is useful across the solutions, it will take coordination to complete eliminate it's use before removing from ECS. Field aliases might be of some use to alleviate some pain during the migration for any aggregations or visualizations relying on process.ppid.
The following are the people that consulted on the contents of this RFC.
- @ebeahan | author
- Stage 0: elastic#1337