[Jamf Protect] Adding process.parent.entity_id ECS mapping (#9577)

* Adding parent.process.entity_id ECS mapping

---------

Co-authored-by: Krishna Chaitanya Reddy Burri <krish.reddy91@gmail.com>

packages/jamf_protect/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.2.0"
+  changes:
+    - description: Adding parent.process_entity_id.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/9577
 - version: "0.1.0"
   changes:
     - description: Initial release of Jamf Protect integration for Elastic.

packages/jamf_protect/data_stream/alerts/_dev/test/pipeline/test-jamf-protect-alerts-sample-logs.log-expected.json

@@ -203,6 +203,7 @@
                         "status": "No error.",
                         "team_id": "483DWKW443"
                     },
+                    "entity_id": "a382cfda-8964-4388-8c19-49d4eaef2ae7",
                     "executable": "/Library/Application Support/JAMF/Remote Assist/jamfRemoteAssistLauncher",
                     "name": "jamfRemoteAssistLauncher",
                     "pid": 3099,
@@ -348,6 +349,7 @@
                         "signing_id": "com.apple.zsh",
                         "status": "No error."
                     },
+                    "entity_id": "8afa3e04-ab59-48f1-87fa-bd42b2b1e71c",
                     "executable": "/bin/zsh",
                     "name": "zsh",
                     "pid": 4204,

packages/jamf_protect/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml

@@ -307,6 +307,7 @@ processors:
                 ctx.process.parent.name = parentProcess.name;
                 ctx.process.parent.pid = parentProcess.pid;
                 ctx.process.parent.executable = parentProcess.path;
+                ctx.process.parent.entity_id = parentProcess.uuid;
 
                 if (parentProcess.containsKey('startTimestamp')) {
                     ctx.process.parent.start = Instant.ofEpochSecond(parentProcess.startTimestamp).toString();

packages/jamf_protect/data_stream/alerts/fields/ecs.yml

@@ -238,6 +238,8 @@
   name: process.parent.name
 - external: ecs
   name: process.parent.executable
+- external: ecs
+  name: process.parent.entity_id
 - external: ecs
   name: process.parent.start
 - external: ecs

packages/jamf_protect/docs/README.md

@@ -314,6 +314,7 @@ An example event for `alerts` looks as following:
 | process.parent.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword |
 | process.parent.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword |
 | process.parent.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword |
+| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword |
 | process.parent.executable | Absolute path to the process executable. | keyword |
 | process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text |
 | process.parent.name | Process name. Sometimes called program name or similar. | keyword |

packages/jamf_protect/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 1.0.0
 name: jamf_protect
 title: Jamf Protect
-version: "0.1.0"
+version: "0.2.0"
 description: Receives events from Jamf Protect with Elastic Agent.
 type: integration
 categories: