Merge remote-tracking branch 'origin/2.4/dev' into 2450soup

salt/elasticfleet/enabled.sls

@@ -18,7 +18,7 @@ include:
   - ssl
 
 # Wait for Elasticsearch to be ready - no reason to try running Elastic Fleet server if ES is not ready
-wait_for_elasticsearch:
+wait_for_elasticsearch_elasticfleet:
   cmd.run:
     - name: so-elasticsearch-wait
 

salt/soc/defaults.yaml

@@ -59,12 +59,18 @@ soc:
         target: _blank
         links:
           - 'https://www.virustotal.com/gui/search/{value}'
-      - name: Sublime Platform Email Review
+      - name: actionSublime
-        description: Review email in Sublime Platform
+        description: actionSublimeHelp
         icon: fa-external-link-alt
         target: _blank
         links:
           - 'https://{:sublime.url}/messages/{:sublime.message_group_id}' 
+      - name: actionProcessAncestors
+        description: actionProcessAncestorsHelp
+        icon: fa-people-roof
+        target: ''
+        links:
+          - '/#/hunt?q=(process.entity_id:"{:process.entity_id}" OR process.entity_id:"{:process.Ext.ancestry|processAncestors}") | groupby process.parent.name | groupby -sankey process.parent.name process.name | groupby process.name | groupby event.module event.dataset | table soc_timestamp event.dataset user.name process.executable process.command_line process.working_directory'
     eventFields:
       default:
         - soc_timestamp