Process [25] object
The Process object describes a running instance of a launched program. Defined by D3FEND d3f:Process.
| Name | Caption | Requirement | Type | Description | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| auid | Audit User ID | Optional | Integer | The audit user assigned at login by the audit subsystem. | ||||||||||||||||
| cmd_line | Command Line O | Recommended | String | The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string '' is to be used. |
||||||||||||||||
| container | Container O | Recommended | Container | The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd. | ||||||||||||||||
| created_time | Created Time | Recommended | Timestamp | The time when the process was created/started. | ||||||||||||||||
| created_time_dt | Created Time | Optional | Datetime | The time when the process was created/started. | ||||||||||||||||
| egid | Effective Group ID | Optional | Integer | The effective group under which this process is running. | ||||||||||||||||
| euid | Effective User ID | Optional | Integer | The effective user under which this process is running. | ||||||||||||||||
| file | File O | Recommended | File | The process file object. | ||||||||||||||||
| group | Group | Recommended | Group | The group under which this process is running. | ||||||||||||||||
| integrity | Integrity | Optional | String | The process integrity level, normalized to the caption of the integrity_id value. In the case of 'Other', it is defined by the event source (Windows only). This is the string sibling of enum attribute integrity_id. |
||||||||||||||||
| integrity_id | Integrity Level | Optional | Integer | The normalized identifier of the process integrity level (Windows only).
This is an enum attribute; its string sibling is integrity. |
||||||||||||||||
| lineage | Lineage | Optional | String Array | The lineage of the process, represented by a list of paths for each ancestor process. For example: ['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami']. |
||||||||||||||||
| loaded_modules | Loaded Modules | Optional | String Array | The list of loaded module names. | ||||||||||||||||
| name | Name O | Recommended | String | The friendly name of the process, for example: Notepad++. |
||||||||||||||||
| namespace_pid | Namespace PID | Recommended | Integer | If running under a process namespace (such as in a container), the process identifier within that process namespace. | ||||||||||||||||
| parent_process | Parent Process O | Recommended | Process | The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. | ||||||||||||||||
| pid | Process ID O | Recommended (†) | Integer | The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. | ||||||||||||||||
| sandbox | Sandbox | Optional | String | The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. | ||||||||||||||||
| session | Session | Optional | Session | The user session under which this process is running. | ||||||||||||||||
| terminated_time | Terminated Time | Optional | Timestamp | The time when the process was terminated. | ||||||||||||||||
| terminated_time_dt | Terminated Time | Optional | Datetime | The time when the process was terminated. | ||||||||||||||||
| tid | Thread ID | Optional | Integer | The Identifier of the thread associated with the event, as returned by the operating system. | ||||||||||||||||
| uid | Unique ID | Recommended (†) | String | A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. | ||||||||||||||||
| user | User O | Recommended | User | The user under which this process is running. | ||||||||||||||||
| xattributes | Extended Attributes | Optional | Object | An unordered collection of zero or more name/value pairs that represent a process extended attribute. |
- Authentication Class
- Attribute: logon_process
- Memory Activity Class
- Attribute: process
- Module Query Class
- Attribute: process
- Network Connection Query Class
- Attribute: process
- Process Activity Class
- Attribute: process
- Process Query Class
- Attribute: process
- Process Remediation Activity Class
- Attribute: process
- Security Finding Class D
- Attribute: process
- Actor Object
- Attribute: process
- Evidence Artifacts Object
- Attribute: process
- Process Object
- Attribute: parent_process
Constraints
† At least one of these attributes must be present: pid, uid
