Skip to content

Process

The Process object describes a running instance of a launched program.

  • Extends: process_entity

Attributes

Section titled “Attributes”

cmd_line

  • Type: string_t
  • Requirement: recommended

The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string '' is to be used.

container

The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.

cpid

  • Type: uuid_t
  • Requirement: recommended

A unique process identifier that can be assigned deterministically by multiple system data producers.

created_time

  • Type: timestamp_t
  • Requirement: recommended

The time when the process was created/started.

file

  • Type: file
  • Requirement: recommended

The process file object.

group

  • Type: group
  • Requirement: recommended

The group under which this process is running.

name

  • Type: process_name_t
  • Requirement: recommended

The friendly name of the process, for example: Notepad++.

namespace_pid

  • Type: integer_t
  • Requirement: recommended

If running under a process namespace (such as in a container), the process identifier within that process namespace.

parent_process

  • Type: process
  • Requirement: recommended

The parent process of this process object. It is recommended to only populate this field for the top-level process object, to prevent deep nesting. Additional ancestry information can be supplied in the ancestry attribute.

pid

  • Type: integer_t
  • Requirement: recommended

The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process.

uid

  • Type: string_t
  • Requirement: recommended

A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process.

user

  • Type: user
  • Requirement: recommended

The user under which this process is running.

ancestry

An array of Process Entities describing the extended parentage of this process object. Direct parent information should be expressed through the parent_process attribute. The first array element is the direct parent of this process object. Subsequent list elements go up the process parentage hierarchy. That is, the array is sorted from newest to oldest process. It is recommended to only populate this field for the top-level process object.

auid linux

  • Type: integer_t
  • Requirement: optional

The audit user assigned at login by the audit subsystem.

created_time_dt

  • Type: datetime_t
  • Requirement: optional

The time when the process was created/started.

egid linux

  • Type: integer_t
  • Requirement: optional

The effective group under which this process is running.

environment_variables

Environment variables associated with the process.

euid linux

  • Type: integer_t
  • Requirement: optional

The effective user under which this process is running.

hosted_services win

The Windows services that this process is hosting.

integrity

  • Type: string_t
  • Requirement: optional

The process integrity level, normalized to the caption of the integrity_id value. In the case of ‘Other’, it is defined by the event source (Windows only).

integrity_id

  • Type: integer_t
  • Requirement: optional
  • Values:
    • 0 - Unknown: The integrity level is unknown.
    • 1 - Untrusted
    • 2 - Low
    • 3 - Medium
    • 4 - High
    • 5 - System
    • 6 - Protected
    • 99 - Other: The integrity level is not mapped. See the integrity attribute, which contains a data source specific value.

The normalized identifier of the process integrity level (Windows only).

lineage

  • Type: file_path_t
  • Requirement: optional

The lineage of the process, represented by a list of paths for each ancestor process. For example: ['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami'].

loaded_modules

  • Type: string_t
  • Requirement: optional

The list of loaded module names.

path

  • Type: string_t
  • Requirement: optional

The process file path.

ptid

  • Type: long_t
  • Requirement: optional

The identifier of the process thread associated with the event, as returned by the operating system.

sandbox

  • Type: string_t
  • Requirement: optional

The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps.

session

  • Type: session
  • Requirement: optional

The user session under which this process is running.

terminated_time

  • Type: timestamp_t
  • Requirement: optional

The time when the process was terminated.

terminated_time_dt

  • Type: datetime_t
  • Requirement: optional

The time when the process was terminated.

tid

  • Type: integer_t
  • Requirement: optional

The identifier of the thread associated with the event, as returned by the operating system.

working_directory

  • Type: string_t
  • Requirement: optional

The working directory of a process.

xattributes

  • Type: object
  • Requirement: optional

An unordered collection of zero or more name/value pairs that represent a process extended attribute.

Constraints

Section titled “Constraints”

At least one of: pid, uid, cpid

Used By

Section titled “Used By”