Implement `ancestor_of` and `descendant_of` process ancestry functions

[rabbitstack]

These functions would enable us to build filters that evaluate process relationships. The ancestor_of function returns the parent of the process that's executing the kernel event. For example, ancestor_of('cmd.exe') would match all events where the process that generated them is the parent of the cmd.exe process. Conversely, the descendant_of function evaluates whether the process is a child of the process that is associated with the current event. For example, descendant_of('cmd.exe') would match all events where the cmd.exe process is the parent process.