[New Rule] Suspicious Elastic Endpoint Parent Process

## Description

Masquerading as Elastic Endpoint Processes is a defense option (e.g. via Process Hollowing or RunPE where binary path and file system details are identical) that may bring some behavior detection or prevention advantages to an attacker. This rule looks for suspicious parent processes.

![image](https://user-images.githubusercontent.com/64742097/91034902-08cbfd00-e606-11ea-9314-c9b82a59de8d.png)


## Required Info

- **Eventing Sources:**


- **Target Operating Systems:**


- **Platforms**


- **Target ECS Version:** x.x.x
- **New fields required in ECS for this?**
- **Related issues or PRs**

## Optional Info
- **References:**



## Example Data

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[New Rule] Suspicious Elastic Endpoint Parent Process #213

Description

Required Info

Optional Info

Example Data

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[New Rule] Suspicious Elastic Endpoint Parent Process #213

Description

Description

Required Info

Optional Info

Example Data

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions