[Enhancement Request] Add support to use grand-parent (and great-grand-parent) processes in Endpoint Protection rules #100
Description
Describe the enhancement:
Currently exceptions for Elastic Defend Modules can only use the fields that a corresponding alert would have present. Parent Process information is available and can therfore be used to create exceptions based on process chains.
Describe a specific use case for the enhancement or feature:
There are cases where Process A as child of Process B is detected as malicious - which in this isolated view could be reasonable, but this chain is executed by Process C as Parent of Process B, and Process C is legtimate, making the whole chain legitimate. While hunting/analizing events, this may be visible, but since the agent itself has no awareness of ancestor processes further away, they cannot be used to create Rule Exceptions.
Since Rule Exceptions for Elastic Defend are working directly on the agent, I added this here.
What is the definition of done?
Grand-parent (and in best case great-Grand-Parent) processes of a process/event detected, blocked and reported by Elastic Defend on the endpoint are available in the alert data and therfore can be used to create Elastic Defend exceptions.