Expand description
These fields contain information about a process.
These fields can help you correlate metrics information with a process id/name from a log message. The process.pid often stays in the metric itself and is copied to the global field for correlation.
Constants§
- PROCESS_
ARGS - Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.
- PROCESS_
ARGS_ COUNT - Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.
- PROCESS_
CODE_ SIGNATURE_ DIGEST_ ALGORITHM - The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
- PROCESS_
CODE_ SIGNATURE_ EXISTS - Boolean to capture if a signature is present.
- PROCESS_
CODE_ SIGNATURE_ SIGNING_ ID - The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
- PROCESS_
CODE_ SIGNATURE_ STATUS - Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
- PROCESS_
CODE_ SIGNATURE_ SUBJECT_ NAME - Subject name of the code signer
- PROCESS_
CODE_ SIGNATURE_ TEAM_ ID - The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
- PROCESS_
CODE_ SIGNATURE_ TIMESTAMP - Date and time when the code signature was generated and signed.
- PROCESS_
CODE_ SIGNATURE_ TRUSTED - Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
- PROCESS_
CODE_ SIGNATURE_ VALID - Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
- PROCESS_
COMMAND_ LINE - Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.
- PROCESS_
ELF_ ARCHITECTURE - Machine architecture of the ELF file.
- PROCESS_
ELF_ BYTE_ ORDER - Byte sequence of ELF file.
- PROCESS_
ELF_ CPU_ TYPE - CPU type of the ELF file.
- PROCESS_
ELF_ CREATION_ DATE - Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
- PROCESS_
ELF_ EXPORTS - List of exported element names and types.
- PROCESS_
ELF_ GO_ IMPORTS - List of imported Go language element names and types.
- PROCESS_
ELF_ GO_ IMPORTS_ NAMES_ ENTROPY - Shannon entropy calculation from the list of Go imports.
- PROCESS_
ELF_ GO_ IMPORTS_ NAMES_ VAR_ ENTROPY - Variance for Shannon entropy calculation from the list of Go imports.
- PROCESS_
ELF_ GO_ IMPORT_ HASH - A hash of the Go language imports in an ELF file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. The algorithm used to calculate the Go symbol hash and a reference implementation are available here.
- PROCESS_
ELF_ GO_ STRIPPED - Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
- PROCESS_
ELF_ HEADER_ ABI_ VERSION - Version of the ELF Application Binary Interface (ABI).
- PROCESS_
ELF_ HEADER_ CLASS - Header class of the ELF file.
- PROCESS_
ELF_ HEADER_ DATA - Data table of the ELF header.
- PROCESS_
ELF_ HEADER_ ENTRYPOINT - Header entrypoint of the ELF file.
- PROCESS_
ELF_ HEADER_ OBJECT_ VERSION - “0x1” for original ELF files.
- PROCESS_
ELF_ HEADER_ OS_ ABI - Application Binary Interface (ABI) of the Linux OS.
- PROCESS_
ELF_ HEADER_ TYPE - Header type of the ELF file.
- PROCESS_
ELF_ HEADER_ VERSION - Version of the ELF header.
- PROCESS_
ELF_ IMPORTS - List of imported element names and types.
- PROCESS_
ELF_ IMPORTS_ NAMES_ ENTROPY - Shannon entropy calculation from the list of imported element names and types.
- PROCESS_
ELF_ IMPORTS_ NAMES_ VAR_ ENTROPY - Variance for Shannon entropy calculation from the list of imported element names and types.
- PROCESS_
ELF_ IMPORT_ HASH - A hash of the imports in an ELF file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is an ELF implementation of the Windows PE imphash.
- PROCESS_
ELF_ SECTIONS - An array containing an object for each section of the ELF file.
The keys that should be present in these objects are defined by sub-fields underneath
elf.sections.*. - PROCESS_
ELF_ SECTIONS_ CHI2 - Chi-square probability distribution of the section.
- PROCESS_
ELF_ SECTIONS_ ENTROPY - Shannon entropy calculation from the section.
- PROCESS_
ELF_ SECTIONS_ FLAGS - ELF Section List flags.
- PROCESS_
ELF_ SECTIONS_ NAME - ELF Section List name.
- PROCESS_
ELF_ SECTIONS_ PHYSICAL_ OFFSET - ELF Section List offset.
- PROCESS_
ELF_ SECTIONS_ PHYSICAL_ SIZE - ELF Section List physical size.
- PROCESS_
ELF_ SECTIONS_ TYPE - ELF Section List type.
- PROCESS_
ELF_ SECTIONS_ VAR_ ENTROPY - Variance for Shannon entropy calculation from the section.
- PROCESS_
ELF_ SECTIONS_ VIRTUAL_ ADDRESS - ELF Section List virtual address.
- PROCESS_
ELF_ SECTIONS_ VIRTUAL_ SIZE - ELF Section List virtual size.
- PROCESS_
ELF_ SEGMENTS - An array containing an object for each segment of the ELF file.
The keys that should be present in these objects are defined by sub-fields underneath
elf.segments.*. - PROCESS_
ELF_ SEGMENTS_ SECTIONS - ELF object segment sections.
- PROCESS_
ELF_ SEGMENTS_ TYPE - ELF object segment type.
- PROCESS_
ELF_ SHARED_ LIBRARIES - List of shared libraries used by this ELF object.
- PROCESS_
ELF_ TELFHASH - telfhash symbol hash for ELF file.
- PROCESS_
END - The time the process ended.
- PROCESS_
ENTITY_ ID - Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
- PROCESS_
ENTRY_ LEADER_ ARGS - Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.
- PROCESS_
ENTRY_ LEADER_ ARGS_ COUNT - Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.
- PROCESS_
ENTRY_ LEADER_ ATTESTED_ GROUPS_ NAME - Name of the group.
- PROCESS_
ENTRY_ LEADER_ ATTESTED_ USER_ ID - Unique identifier of the user.
- PROCESS_
ENTRY_ LEADER_ ATTESTED_ USER_ NAME - Short name or login of the user.
- PROCESS_
ENTRY_ LEADER_ COMMAND_ LINE - Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.
- PROCESS_
ENTRY_ LEADER_ ENTITY_ ID - Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
- PROCESS_
ENTRY_ LEADER_ ENTRY_ META_ SOURCE_ IP - IP address of the source (IPv4 or IPv6).
- PROCESS_
ENTRY_ LEADER_ ENTRY_ META_ TYPE - The entry type for the entry session leader. Values include: init(e.g systemd), sshd, ssm, kubelet, teleport, terminal, console Note: This field is only set on process.session_leader.
- PROCESS_
ENTRY_ LEADER_ EXECUTABLE - Absolute path to the process executable.
- PROCESS_
ENTRY_ LEADER_ GROUP_ ID - Unique identifier for the group on the system/platform.
- PROCESS_
ENTRY_ LEADER_ GROUP_ NAME - Name of the group.
- PROCESS_
ENTRY_ LEADER_ INTERACTIVE - Whether the process is connected to an interactive shell. Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.
- PROCESS_
ENTRY_ LEADER_ NAME - Process name. Sometimes called program name or similar.
- PROCESS_
ENTRY_ LEADER_ PARENT_ ENTITY_ ID - Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
- PROCESS_
ENTRY_ LEADER_ PARENT_ PID - Process id.
- PROCESS_
ENTRY_ LEADER_ PARENT_ SESSION_ LEADER_ ENTITY_ ID - Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
- PROCESS_
ENTRY_ LEADER_ PARENT_ SESSION_ LEADER_ PID - Process id.
- PROCESS_
ENTRY_ LEADER_ PARENT_ SESSION_ LEADER_ START - The time the process started.
- PROCESS_
ENTRY_ LEADER_ PARENT_ SESSION_ LEADER_ VPID - Virtual process id. The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within.
- PROCESS_
ENTRY_ LEADER_ PARENT_ START - The time the process started.
- PROCESS_
ENTRY_ LEADER_ PARENT_ VPID - Virtual process id. The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within.
- PROCESS_
ENTRY_ LEADER_ PID - Process id.
- PROCESS_
ENTRY_ LEADER_ REAL_ GROUP_ ID - Unique identifier for the group on the system/platform.
- PROCESS_
ENTRY_ LEADER_ REAL_ GROUP_ NAME - Name of the group.
- PROCESS_
ENTRY_ LEADER_ REAL_ USER_ ID - Unique identifier of the user.
- PROCESS_
ENTRY_ LEADER_ REAL_ USER_ NAME - Short name or login of the user.
- PROCESS_
ENTRY_ LEADER_ SAME_ AS_ PROCESS - This boolean is used to identify if a leader process is the same as the top level process.
For example, if
process.group_leader.same_as_process = true, it means the process event in question is the leader of its process group. Details underprocess.*likepidwould be the same underprocess.group_leader.*The same applies for bothprocess.session_leaderandprocess.entry_leader. This field exists to the benefit of EQL and other rule engines since it’s not possible to compare equality between two fields in a single document. e.gprocess.entity_id=process.group_leader.entity_id(top level process is the process group leader) ORprocess.entity_id=process.entry_leader.entity_id(top level process is the entry session leader) Instead these rules could be written like:process.group_leader.same_as_process: trueORprocess.entry_leader.same_as_process: trueNote: This field is only set onprocess.entry_leader,process.session_leaderandprocess.group_leader. - PROCESS_
ENTRY_ LEADER_ SAVED_ GROUP_ ID - Unique identifier for the group on the system/platform.
- PROCESS_
ENTRY_ LEADER_ SAVED_ GROUP_ NAME - Name of the group.
- PROCESS_
ENTRY_ LEADER_ SAVED_ USER_ ID - Unique identifier of the user.
- PROCESS_
ENTRY_ LEADER_ SAVED_ USER_ NAME - Short name or login of the user.
- PROCESS_
ENTRY_ LEADER_ START - The time the process started.
- PROCESS_
ENTRY_ LEADER_ SUPPLEMENTAL_ GROUPS_ ID - Unique identifier for the group on the system/platform.
- PROCESS_
ENTRY_ LEADER_ SUPPLEMENTAL_ GROUPS_ NAME - Name of the group.
- PROCESS_
ENTRY_ LEADER_ TTY - Information about the controlling TTY device. If set, the process belongs to an interactive session.
- PROCESS_
ENTRY_ LEADER_ TTY_ CHAR_ DEVICE_ MAJOR - The major number identifies the driver associated with the device. The character device’s major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as “ttyS0” and “pts/0”. For more details, please refer to the Linux kernel documentation.
- PROCESS_
ENTRY_ LEADER_ TTY_ CHAR_ DEVICE_ MINOR - The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them.
- PROCESS_
ENTRY_ LEADER_ USER_ ID - Unique identifier of the user.
- PROCESS_
ENTRY_ LEADER_ USER_ NAME - Short name or login of the user.
- PROCESS_
ENTRY_ LEADER_ VPID - Virtual process id. The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within.
- PROCESS_
ENTRY_ LEADER_ WORKING_ DIRECTORY - The working directory of the process.
- PROCESS_
ENV_ VARS - Array of environment variable bindings. Captured from a snapshot of the environment at the time of execution. May be filtered to protect sensitive information.
- PROCESS_
EXECUTABLE - Absolute path to the process executable.
- PROCESS_
EXIT_ CODE - The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start).
- PROCESS_
GROUP_ LEADER_ ARGS - Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.
- PROCESS_
GROUP_ LEADER_ ARGS_ COUNT - Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.
- PROCESS_
GROUP_ LEADER_ COMMAND_ LINE - Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.
- PROCESS_
GROUP_ LEADER_ ENTITY_ ID - Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
- PROCESS_
GROUP_ LEADER_ EXECUTABLE - Absolute path to the process executable.
- PROCESS_
GROUP_ LEADER_ GROUP_ ID - Unique identifier for the group on the system/platform.
- PROCESS_
GROUP_ LEADER_ GROUP_ NAME - Name of the group.
- PROCESS_
GROUP_ LEADER_ INTERACTIVE - Whether the process is connected to an interactive shell. Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.
- PROCESS_
GROUP_ LEADER_ NAME - Process name. Sometimes called program name or similar.
- PROCESS_
GROUP_ LEADER_ PID - Process id.
- PROCESS_
GROUP_ LEADER_ REAL_ GROUP_ ID - Unique identifier for the group on the system/platform.
- PROCESS_
GROUP_ LEADER_ REAL_ GROUP_ NAME - Name of the group.
- PROCESS_
GROUP_ LEADER_ REAL_ USER_ ID - Unique identifier of the user.
- PROCESS_
GROUP_ LEADER_ REAL_ USER_ NAME - Short name or login of the user.
- PROCESS_
GROUP_ LEADER_ SAME_ AS_ PROCESS - This boolean is used to identify if a leader process is the same as the top level process.
For example, if
process.group_leader.same_as_process = true, it means the process event in question is the leader of its process group. Details underprocess.*likepidwould be the same underprocess.group_leader.*The same applies for bothprocess.session_leaderandprocess.entry_leader. This field exists to the benefit of EQL and other rule engines since it’s not possible to compare equality between two fields in a single document. e.gprocess.entity_id=process.group_leader.entity_id(top level process is the process group leader) ORprocess.entity_id=process.entry_leader.entity_id(top level process is the entry session leader) Instead these rules could be written like:process.group_leader.same_as_process: trueORprocess.entry_leader.same_as_process: trueNote: This field is only set onprocess.entry_leader,process.session_leaderandprocess.group_leader. - PROCESS_
GROUP_ LEADER_ SAVED_ GROUP_ ID - Unique identifier for the group on the system/platform.
- PROCESS_
GROUP_ LEADER_ SAVED_ GROUP_ NAME - Name of the group.
- PROCESS_
GROUP_ LEADER_ SAVED_ USER_ ID - Unique identifier of the user.
- PROCESS_
GROUP_ LEADER_ SAVED_ USER_ NAME - Short name or login of the user.
- PROCESS_
GROUP_ LEADER_ START - The time the process started.
- PROCESS_
GROUP_ LEADER_ SUPPLEMENTAL_ GROUPS_ ID - Unique identifier for the group on the system/platform.
- PROCESS_
GROUP_ LEADER_ SUPPLEMENTAL_ GROUPS_ NAME - Name of the group.
- PROCESS_
GROUP_ LEADER_ TTY - Information about the controlling TTY device. If set, the process belongs to an interactive session.
- PROCESS_
GROUP_ LEADER_ TTY_ CHAR_ DEVICE_ MAJOR - The major number identifies the driver associated with the device. The character device’s major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as “ttyS0” and “pts/0”. For more details, please refer to the Linux kernel documentation.
- PROCESS_
GROUP_ LEADER_ TTY_ CHAR_ DEVICE_ MINOR - The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them.
- PROCESS_
GROUP_ LEADER_ USER_ ID - Unique identifier of the user.
- PROCESS_
GROUP_ LEADER_ USER_ NAME - Short name or login of the user.
- PROCESS_
GROUP_ LEADER_ VPID - Virtual process id. The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within.
- PROCESS_
GROUP_ LEADER_ WORKING_ DIRECTORY - The working directory of the process.
- PROCESS_
HASH_ MD5 - MD5 hash.
- PROCESS_
HASH_ SHA1 - SHA1 hash.
- PROCESS_
HASH_ SHA256 - SHA256 hash.
- PROCESS_
HASH_ SHA384 - SHA384 hash.
- PROCESS_
HASH_ SHA512 - SHA512 hash.
- PROCESS_
HASH_ SSDEEP - SSDEEP hash.
- PROCESS_
HASH_ TLSH - TLSH hash.
- PROCESS_
INTERACTIVE - Whether the process is connected to an interactive shell. Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.
- PROCESS_
IO - A chunk of input or output (IO) from a single process. This field only appears on the top level process object, which is the process that wrote the output or read the input.
- PROCESS_
IO_ BYTES_ SKIPPED - An array of byte offsets and lengths denoting where IO data has been skipped.
- PROCESS_
IO_ BYTES_ SKIPPED_ LENGTH - The length of bytes skipped.
- PROCESS_
IO_ BYTES_ SKIPPED_ OFFSET - The byte offset into this event’s io.text (or io.bytes in the future) where length bytes were skipped.
- PROCESS_
IO_ MAX_ BYTES_ PER_ PROCESS_ EXCEEDED - If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting.
- PROCESS_
IO_ TEXT - A chunk of output or input sanitized to UTF-8. Best efforts are made to ensure complete lines are captured in these events. Assumptions should NOT be made that multiple lines will appear in the same event. TTY output may contain terminal control codes such as for cursor movement, so some string queries may not match due to terminal codes inserted between characters of a word.
- PROCESS_
IO_ TOTAL_ BYTES_ CAPTURED - The total number of bytes captured in this event.
- PROCESS_
IO_ TOTAL_ BYTES_ SKIPPED - The total number of bytes that were not captured due to implementation restrictions such as buffer size limits. Implementors should strive to ensure this value is always zero
- PROCESS_
IO_ TYPE - The type of object on which the IO action (read or write) was taken. Currently only ‘tty’ is supported. Other types may be added in the future for ‘file’ and ‘socket’ support.
- PROCESS_
MACHO_ GO_ IMPORTS - List of imported Go language element names and types.
- PROCESS_
MACHO_ GO_ IMPORTS_ NAMES_ ENTROPY - Shannon entropy calculation from the list of Go imports.
- PROCESS_
MACHO_ GO_ IMPORTS_ NAMES_ VAR_ ENTROPY - Variance for Shannon entropy calculation from the list of Go imports.
- PROCESS_
MACHO_ GO_ IMPORT_ HASH - A hash of the Go language imports in a Mach-O file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. The algorithm used to calculate the Go symbol hash and a reference implementation are available here.
- PROCESS_
MACHO_ GO_ STRIPPED - Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
- PROCESS_
MACHO_ IMPORTS - List of imported element names and types.
- PROCESS_
MACHO_ IMPORTS_ NAMES_ ENTROPY - Shannon entropy calculation from the list of imported element names and types.
- PROCESS_
MACHO_ IMPORTS_ NAMES_ VAR_ ENTROPY - Variance for Shannon entropy calculation from the list of imported element names and types.
- PROCESS_
MACHO_ IMPORT_ HASH - A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is a synonym for symhash.
- PROCESS_
MACHO_ SECTIONS - An array containing an object for each section of the Mach-O file.
The keys that should be present in these objects are defined by sub-fields underneath
macho.sections.*. - PROCESS_
MACHO_ SECTIONS_ ENTROPY - Shannon entropy calculation from the section.
- PROCESS_
MACHO_ SECTIONS_ NAME - Mach-O Section List name.
- PROCESS_
MACHO_ SECTIONS_ PHYSICAL_ SIZE - Mach-O Section List physical size.
- PROCESS_
MACHO_ SECTIONS_ VAR_ ENTROPY - Variance for Shannon entropy calculation from the section.
- PROCESS_
MACHO_ SECTIONS_ VIRTUAL_ SIZE - Mach-O Section List virtual size. This is always the same as
physical_size. - PROCESS_
MACHO_ SYMHASH - A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is a Mach-O implementation of the Windows PE imphash
- PROCESS_
NAME - Process name. Sometimes called program name or similar.
- PROCESS_
PARENT_ ARGS - Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.
- PROCESS_
PARENT_ ARGS_ COUNT - Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.
- PROCESS_
PARENT_ CODE_ SIGNATURE_ DIGEST_ ALGORITHM - The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
- PROCESS_
PARENT_ CODE_ SIGNATURE_ EXISTS - Boolean to capture if a signature is present.
- PROCESS_
PARENT_ CODE_ SIGNATURE_ SIGNING_ ID - The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
- PROCESS_
PARENT_ CODE_ SIGNATURE_ STATUS - Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
- PROCESS_
PARENT_ CODE_ SIGNATURE_ SUBJECT_ NAME - Subject name of the code signer
- PROCESS_
PARENT_ CODE_ SIGNATURE_ TEAM_ ID - The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
- PROCESS_
PARENT_ CODE_ SIGNATURE_ TIMESTAMP - Date and time when the code signature was generated and signed.
- PROCESS_
PARENT_ CODE_ SIGNATURE_ TRUSTED - Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
- PROCESS_
PARENT_ CODE_ SIGNATURE_ VALID - Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
- PROCESS_
PARENT_ COMMAND_ LINE - Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.
- PROCESS_
PARENT_ ELF_ ARCHITECTURE - Machine architecture of the ELF file.
- PROCESS_
PARENT_ ELF_ BYTE_ ORDER - Byte sequence of ELF file.
- PROCESS_
PARENT_ ELF_ CPU_ TYPE - CPU type of the ELF file.
- PROCESS_
PARENT_ ELF_ CREATION_ DATE - Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
- PROCESS_
PARENT_ ELF_ EXPORTS - List of exported element names and types.
- PROCESS_
PARENT_ ELF_ GO_ IMPORTS - List of imported Go language element names and types.
- PROCESS_
PARENT_ ELF_ GO_ IMPORTS_ NAMES_ ENTROPY - Shannon entropy calculation from the list of Go imports.
- PROCESS_
PARENT_ ELF_ GO_ IMPORTS_ NAMES_ VAR_ ENTROPY - Variance for Shannon entropy calculation from the list of Go imports.
- PROCESS_
PARENT_ ELF_ GO_ IMPORT_ HASH - A hash of the Go language imports in an ELF file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. The algorithm used to calculate the Go symbol hash and a reference implementation are available here.
- PROCESS_
PARENT_ ELF_ GO_ STRIPPED - Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
- PROCESS_
PARENT_ ELF_ HEADER_ ABI_ VERSION - Version of the ELF Application Binary Interface (ABI).
- PROCESS_
PARENT_ ELF_ HEADER_ CLASS - Header class of the ELF file.
- PROCESS_
PARENT_ ELF_ HEADER_ DATA - Data table of the ELF header.
- PROCESS_
PARENT_ ELF_ HEADER_ ENTRYPOINT - Header entrypoint of the ELF file.
- PROCESS_
PARENT_ ELF_ HEADER_ OBJECT_ VERSION - “0x1” for original ELF files.
- PROCESS_
PARENT_ ELF_ HEADER_ OS_ ABI - Application Binary Interface (ABI) of the Linux OS.
- PROCESS_
PARENT_ ELF_ HEADER_ TYPE - Header type of the ELF file.
- PROCESS_
PARENT_ ELF_ HEADER_ VERSION - Version of the ELF header.
- PROCESS_
PARENT_ ELF_ IMPORTS - List of imported element names and types.
- PROCESS_
PARENT_ ELF_ IMPORTS_ NAMES_ ENTROPY - Shannon entropy calculation from the list of imported element names and types.
- PROCESS_
PARENT_ ELF_ IMPORTS_ NAMES_ VAR_ ENTROPY - Variance for Shannon entropy calculation from the list of imported element names and types.
- PROCESS_
PARENT_ ELF_ IMPORT_ HASH - A hash of the imports in an ELF file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is an ELF implementation of the Windows PE imphash.
- PROCESS_
PARENT_ ELF_ SECTIONS - An array containing an object for each section of the ELF file.
The keys that should be present in these objects are defined by sub-fields underneath
elf.sections.*. - PROCESS_
PARENT_ ELF_ SECTIONS_ CHI2 - Chi-square probability distribution of the section.
- PROCESS_
PARENT_ ELF_ SECTIONS_ ENTROPY - Shannon entropy calculation from the section.
- PROCESS_
PARENT_ ELF_ SECTIONS_ FLAGS - ELF Section List flags.
- PROCESS_
PARENT_ ELF_ SECTIONS_ NAME - ELF Section List name.
- PROCESS_
PARENT_ ELF_ SECTIONS_ PHYSICAL_ OFFSET - ELF Section List offset.
- PROCESS_
PARENT_ ELF_ SECTIONS_ PHYSICAL_ SIZE - ELF Section List physical size.
- PROCESS_
PARENT_ ELF_ SECTIONS_ TYPE - ELF Section List type.
- PROCESS_
PARENT_ ELF_ SECTIONS_ VAR_ ENTROPY - Variance for Shannon entropy calculation from the section.
- PROCESS_
PARENT_ ELF_ SECTIONS_ VIRTUAL_ ADDRESS - ELF Section List virtual address.
- PROCESS_
PARENT_ ELF_ SECTIONS_ VIRTUAL_ SIZE - ELF Section List virtual size.
- PROCESS_
PARENT_ ELF_ SEGMENTS - An array containing an object for each segment of the ELF file.
The keys that should be present in these objects are defined by sub-fields underneath
elf.segments.*. - PROCESS_
PARENT_ ELF_ SEGMENTS_ SECTIONS - ELF object segment sections.
- PROCESS_
PARENT_ ELF_ SEGMENTS_ TYPE - ELF object segment type.
- PROCESS_
PARENT_ ELF_ SHARED_ LIBRARIES - List of shared libraries used by this ELF object.
- PROCESS_
PARENT_ ELF_ TELFHASH - telfhash symbol hash for ELF file.
- PROCESS_
PARENT_ END - The time the process ended.
- PROCESS_
PARENT_ ENTITY_ ID - Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
- PROCESS_
PARENT_ EXECUTABLE - Absolute path to the process executable.
- PROCESS_
PARENT_ EXIT_ CODE - The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start).
- PROCESS_
PARENT_ GROUP_ ID - Unique identifier for the group on the system/platform.
- PROCESS_
PARENT_ GROUP_ LEADER_ ENTITY_ ID - Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
- PROCESS_
PARENT_ GROUP_ LEADER_ PID - Process id.
- PROCESS_
PARENT_ GROUP_ LEADER_ START - The time the process started.
- PROCESS_
PARENT_ GROUP_ LEADER_ VPID - Virtual process id. The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within.
- PROCESS_
PARENT_ GROUP_ NAME - Name of the group.
- PROCESS_
PARENT_ HASH_ MD5 - MD5 hash.
- PROCESS_
PARENT_ HASH_ SHA1 - SHA1 hash.
- PROCESS_
PARENT_ HASH_ SHA256 - SHA256 hash.
- PROCESS_
PARENT_ HASH_ SHA384 - SHA384 hash.
- PROCESS_
PARENT_ HASH_ SHA512 - SHA512 hash.
- PROCESS_
PARENT_ HASH_ SSDEEP - SSDEEP hash.
- PROCESS_
PARENT_ HASH_ TLSH - TLSH hash.
- PROCESS_
PARENT_ INTERACTIVE - Whether the process is connected to an interactive shell. Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.
- PROCESS_
PARENT_ MACHO_ GO_ IMPORTS - List of imported Go language element names and types.
- PROCESS_
PARENT_ MACHO_ GO_ IMPORTS_ NAMES_ ENTROPY - Shannon entropy calculation from the list of Go imports.
- PROCESS_
PARENT_ MACHO_ GO_ IMPORTS_ NAMES_ VAR_ ENTROPY - Variance for Shannon entropy calculation from the list of Go imports.
- PROCESS_
PARENT_ MACHO_ GO_ IMPORT_ HASH - A hash of the Go language imports in a Mach-O file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. The algorithm used to calculate the Go symbol hash and a reference implementation are available here.
- PROCESS_
PARENT_ MACHO_ GO_ STRIPPED - Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
- PROCESS_
PARENT_ MACHO_ IMPORTS - List of imported element names and types.
- PROCESS_
PARENT_ MACHO_ IMPORTS_ NAMES_ ENTROPY - Shannon entropy calculation from the list of imported element names and types.
- PROCESS_
PARENT_ MACHO_ IMPORTS_ NAMES_ VAR_ ENTROPY - Variance for Shannon entropy calculation from the list of imported element names and types.
- PROCESS_
PARENT_ MACHO_ IMPORT_ HASH - A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is a synonym for symhash.
- PROCESS_
PARENT_ MACHO_ SECTIONS - An array containing an object for each section of the Mach-O file.
The keys that should be present in these objects are defined by sub-fields underneath
macho.sections.*. - PROCESS_
PARENT_ MACHO_ SECTIONS_ ENTROPY - Shannon entropy calculation from the section.
- PROCESS_
PARENT_ MACHO_ SECTIONS_ NAME - Mach-O Section List name.
- PROCESS_
PARENT_ MACHO_ SECTIONS_ PHYSICAL_ SIZE - Mach-O Section List physical size.
- PROCESS_
PARENT_ MACHO_ SECTIONS_ VAR_ ENTROPY - Variance for Shannon entropy calculation from the section.
- PROCESS_
PARENT_ MACHO_ SECTIONS_ VIRTUAL_ SIZE - Mach-O Section List virtual size. This is always the same as
physical_size. - PROCESS_
PARENT_ MACHO_ SYMHASH - A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is a Mach-O implementation of the Windows PE imphash
- PROCESS_
PARENT_ NAME - Process name. Sometimes called program name or similar.
- PROCESS_
PARENT_ PE_ ARCHITECTURE - CPU architecture target for the file.
- PROCESS_
PARENT_ PE_ COMPANY - Internal company name of the file, provided at compile-time.
- PROCESS_
PARENT_ PE_ DESCRIPTION - Internal description of the file, provided at compile-time.
- PROCESS_
PARENT_ PE_ FILE_ VERSION - Internal version of the file, provided at compile-time.
- PROCESS_
PARENT_ PE_ GO_ IMPORTS - List of imported Go language element names and types.
- PROCESS_
PARENT_ PE_ GO_ IMPORTS_ NAMES_ ENTROPY - Shannon entropy calculation from the list of Go imports.
- PROCESS_
PARENT_ PE_ GO_ IMPORTS_ NAMES_ VAR_ ENTROPY - Variance for Shannon entropy calculation from the list of Go imports.
- PROCESS_
PARENT_ PE_ GO_ IMPORT_ HASH - A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. The algorithm used to calculate the Go symbol hash and a reference implementation are available here.
- PROCESS_
PARENT_ PE_ GO_ STRIPPED - Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
- PROCESS_
PARENT_ PE_ IMPHASH - A hash of the imports in a PE file. An imphash – or import hash – can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.
- PROCESS_
PARENT_ PE_ IMPORTS - List of imported element names and types.
- PROCESS_
PARENT_ PE_ IMPORTS_ NAMES_ ENTROPY - Shannon entropy calculation from the list of imported element names and types.
- PROCESS_
PARENT_ PE_ IMPORTS_ NAMES_ VAR_ ENTROPY - Variance for Shannon entropy calculation from the list of imported element names and types.
- PROCESS_
PARENT_ PE_ IMPORT_ HASH - A hash of the imports in a PE file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is a synonym for imphash.
- PROCESS_
PARENT_ PE_ ORIGINAL_ FILE_ NAME - Internal name of the file, provided at compile-time.
- PROCESS_
PARENT_ PE_ PEHASH - A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value. Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.
- PROCESS_
PARENT_ PE_ PRODUCT - Internal product name of the file, provided at compile-time.
- PROCESS_
PARENT_ PE_ SECTIONS - An array containing an object for each section of the PE file.
The keys that should be present in these objects are defined by sub-fields underneath
pe.sections.*. - PROCESS_
PARENT_ PE_ SECTIONS_ ENTROPY - Shannon entropy calculation from the section.
- PROCESS_
PARENT_ PE_ SECTIONS_ NAME - PE Section List name.
- PROCESS_
PARENT_ PE_ SECTIONS_ PHYSICAL_ SIZE - PE Section List physical size.
- PROCESS_
PARENT_ PE_ SECTIONS_ VAR_ ENTROPY - Variance for Shannon entropy calculation from the section.
- PROCESS_
PARENT_ PE_ SECTIONS_ VIRTUAL_ SIZE - PE Section List virtual size. This is always the same as
physical_size. - PROCESS_
PARENT_ PGID - Deprecated for removal in next major version release. This field is superseded by
process.group_leader.pid. Identifier of the group of processes the process belongs to. - PROCESS_
PARENT_ PID - Process id.
- PROCESS_
PARENT_ REAL_ GROUP_ ID - Unique identifier for the group on the system/platform.
- PROCESS_
PARENT_ REAL_ GROUP_ NAME - Name of the group.
- PROCESS_
PARENT_ REAL_ USER_ ID - Unique identifier of the user.
- PROCESS_
PARENT_ REAL_ USER_ NAME - Short name or login of the user.
- PROCESS_
PARENT_ SAVED_ GROUP_ ID - Unique identifier for the group on the system/platform.
- PROCESS_
PARENT_ SAVED_ GROUP_ NAME - Name of the group.
- PROCESS_
PARENT_ SAVED_ USER_ ID - Unique identifier of the user.
- PROCESS_
PARENT_ SAVED_ USER_ NAME - Short name or login of the user.
- PROCESS_
PARENT_ START - The time the process started.
- PROCESS_
PARENT_ SUPPLEMENTAL_ GROUPS_ ID - Unique identifier for the group on the system/platform.
- PROCESS_
PARENT_ SUPPLEMENTAL_ GROUPS_ NAME - Name of the group.
- PROCESS_
PARENT_ THREAD_ CAPABILITIES_ EFFECTIVE - This is the set of capabilities used by the kernel to perform permission checks for the thread.
- PROCESS_
PARENT_ THREAD_ CAPABILITIES_ PERMITTED - This is a limiting superset for the effective capabilities that the thread may assume.
- PROCESS_
PARENT_ THREAD_ ID - Thread ID.
- PROCESS_
PARENT_ THREAD_ NAME - Thread name.
- PROCESS_
PARENT_ TITLE - Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.
- PROCESS_
PARENT_ TTY - Information about the controlling TTY device. If set, the process belongs to an interactive session.
- PROCESS_
PARENT_ TTY_ CHAR_ DEVICE_ MAJOR - The major number identifies the driver associated with the device. The character device’s major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as “ttyS0” and “pts/0”. For more details, please refer to the Linux kernel documentation.
- PROCESS_
PARENT_ TTY_ CHAR_ DEVICE_ MINOR - The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them.
- PROCESS_
PARENT_ UPTIME - Seconds the process has been up.
- PROCESS_
PARENT_ USER_ ID - Unique identifier of the user.
- PROCESS_
PARENT_ USER_ NAME - Short name or login of the user.
- PROCESS_
PARENT_ VPID - Virtual process id. The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within.
- PROCESS_
PARENT_ WORKING_ DIRECTORY - The working directory of the process.
- PROCESS_
PE_ ARCHITECTURE - CPU architecture target for the file.
- PROCESS_
PE_ COMPANY - Internal company name of the file, provided at compile-time.
- PROCESS_
PE_ DESCRIPTION - Internal description of the file, provided at compile-time.
- PROCESS_
PE_ FILE_ VERSION - Internal version of the file, provided at compile-time.
- PROCESS_
PE_ GO_ IMPORTS - List of imported Go language element names and types.
- PROCESS_
PE_ GO_ IMPORTS_ NAMES_ ENTROPY - Shannon entropy calculation from the list of Go imports.
- PROCESS_
PE_ GO_ IMPORTS_ NAMES_ VAR_ ENTROPY - Variance for Shannon entropy calculation from the list of Go imports.
- PROCESS_
PE_ GO_ IMPORT_ HASH - A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. The algorithm used to calculate the Go symbol hash and a reference implementation are available here.
- PROCESS_
PE_ GO_ STRIPPED - Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
- PROCESS_
PE_ IMPHASH - A hash of the imports in a PE file. An imphash – or import hash – can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.
- PROCESS_
PE_ IMPORTS - List of imported element names and types.
- PROCESS_
PE_ IMPORTS_ NAMES_ ENTROPY - Shannon entropy calculation from the list of imported element names and types.
- PROCESS_
PE_ IMPORTS_ NAMES_ VAR_ ENTROPY - Variance for Shannon entropy calculation from the list of imported element names and types.
- PROCESS_
PE_ IMPORT_ HASH - A hash of the imports in a PE file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is a synonym for imphash.
- PROCESS_
PE_ ORIGINAL_ FILE_ NAME - Internal name of the file, provided at compile-time.
- PROCESS_
PE_ PEHASH - A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value. Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.
- PROCESS_
PE_ PRODUCT - Internal product name of the file, provided at compile-time.
- PROCESS_
PE_ SECTIONS - An array containing an object for each section of the PE file.
The keys that should be present in these objects are defined by sub-fields underneath
pe.sections.*. - PROCESS_
PE_ SECTIONS_ ENTROPY - Shannon entropy calculation from the section.
- PROCESS_
PE_ SECTIONS_ NAME - PE Section List name.
- PROCESS_
PE_ SECTIONS_ PHYSICAL_ SIZE - PE Section List physical size.
- PROCESS_
PE_ SECTIONS_ VAR_ ENTROPY - Variance for Shannon entropy calculation from the section.
- PROCESS_
PE_ SECTIONS_ VIRTUAL_ SIZE - PE Section List virtual size. This is always the same as
physical_size. - PROCESS_
PGID - Deprecated for removal in next major version release. This field is superseded by
process.group_leader.pid. Identifier of the group of processes the process belongs to. - PROCESS_
PID - Process id.
- PROCESS_
PREVIOUS_ ARGS - Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.
- PROCESS_
PREVIOUS_ ARGS_ COUNT - Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.
- PROCESS_
PREVIOUS_ EXECUTABLE - Absolute path to the process executable.
- PROCESS_
REAL_ GROUP_ ID - Unique identifier for the group on the system/platform.
- PROCESS_
REAL_ GROUP_ NAME - Name of the group.
- PROCESS_
REAL_ USER_ ID - Unique identifier of the user.
- PROCESS_
REAL_ USER_ NAME - Short name or login of the user.
- PROCESS_
SAVED_ GROUP_ ID - Unique identifier for the group on the system/platform.
- PROCESS_
SAVED_ GROUP_ NAME - Name of the group.
- PROCESS_
SAVED_ USER_ ID - Unique identifier of the user.
- PROCESS_
SAVED_ USER_ NAME - Short name or login of the user.
- PROCESS_
SESSION_ LEADER_ ARGS - Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.
- PROCESS_
SESSION_ LEADER_ ARGS_ COUNT - Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.
- PROCESS_
SESSION_ LEADER_ COMMAND_ LINE - Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.
- PROCESS_
SESSION_ LEADER_ ENTITY_ ID - Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
- PROCESS_
SESSION_ LEADER_ EXECUTABLE - Absolute path to the process executable.
- PROCESS_
SESSION_ LEADER_ GROUP_ ID - Unique identifier for the group on the system/platform.
- PROCESS_
SESSION_ LEADER_ GROUP_ NAME - Name of the group.
- PROCESS_
SESSION_ LEADER_ INTERACTIVE - Whether the process is connected to an interactive shell. Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.
- PROCESS_
SESSION_ LEADER_ NAME - Process name. Sometimes called program name or similar.
- PROCESS_
SESSION_ LEADER_ PARENT_ ENTITY_ ID - Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
- PROCESS_
SESSION_ LEADER_ PARENT_ PID - Process id.
- PROCESS_
SESSION_ LEADER_ PARENT_ SESSION_ LEADER_ ENTITY_ ID - Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
- PROCESS_
SESSION_ LEADER_ PARENT_ SESSION_ LEADER_ PID - Process id.
- PROCESS_
SESSION_ LEADER_ PARENT_ SESSION_ LEADER_ START - The time the process started.
- PROCESS_
SESSION_ LEADER_ PARENT_ SESSION_ LEADER_ VPID - Virtual process id. The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within.
- PROCESS_
SESSION_ LEADER_ PARENT_ START - The time the process started.
- PROCESS_
SESSION_ LEADER_ PARENT_ VPID - Virtual process id. The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within.
- PROCESS_
SESSION_ LEADER_ PID - Process id.
- PROCESS_
SESSION_ LEADER_ REAL_ GROUP_ ID - Unique identifier for the group on the system/platform.
- PROCESS_
SESSION_ LEADER_ REAL_ GROUP_ NAME - Name of the group.
- PROCESS_
SESSION_ LEADER_ REAL_ USER_ ID - Unique identifier of the user.
- PROCESS_
SESSION_ LEADER_ REAL_ USER_ NAME - Short name or login of the user.
- PROCESS_
SESSION_ LEADER_ SAME_ AS_ PROCESS - This boolean is used to identify if a leader process is the same as the top level process.
For example, if
process.group_leader.same_as_process = true, it means the process event in question is the leader of its process group. Details underprocess.*likepidwould be the same underprocess.group_leader.*The same applies for bothprocess.session_leaderandprocess.entry_leader. This field exists to the benefit of EQL and other rule engines since it’s not possible to compare equality between two fields in a single document. e.gprocess.entity_id=process.group_leader.entity_id(top level process is the process group leader) ORprocess.entity_id=process.entry_leader.entity_id(top level process is the entry session leader) Instead these rules could be written like:process.group_leader.same_as_process: trueORprocess.entry_leader.same_as_process: trueNote: This field is only set onprocess.entry_leader,process.session_leaderandprocess.group_leader. - PROCESS_
SESSION_ LEADER_ SAVED_ GROUP_ ID - Unique identifier for the group on the system/platform.
- PROCESS_
SESSION_ LEADER_ SAVED_ GROUP_ NAME - Name of the group.
- PROCESS_
SESSION_ LEADER_ SAVED_ USER_ ID - Unique identifier of the user.
- PROCESS_
SESSION_ LEADER_ SAVED_ USER_ NAME - Short name or login of the user.
- PROCESS_
SESSION_ LEADER_ START - The time the process started.
- PROCESS_
SESSION_ LEADER_ SUPPLEMENTAL_ GROUPS_ ID - Unique identifier for the group on the system/platform.
- PROCESS_
SESSION_ LEADER_ SUPPLEMENTAL_ GROUPS_ NAME - Name of the group.
- PROCESS_
SESSION_ LEADER_ TTY - Information about the controlling TTY device. If set, the process belongs to an interactive session.
- PROCESS_
SESSION_ LEADER_ TTY_ CHAR_ DEVICE_ MAJOR - The major number identifies the driver associated with the device. The character device’s major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as “ttyS0” and “pts/0”. For more details, please refer to the Linux kernel documentation.
- PROCESS_
SESSION_ LEADER_ TTY_ CHAR_ DEVICE_ MINOR - The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them.
- PROCESS_
SESSION_ LEADER_ USER_ ID - Unique identifier of the user.
- PROCESS_
SESSION_ LEADER_ USER_ NAME - Short name or login of the user.
- PROCESS_
SESSION_ LEADER_ VPID - Virtual process id. The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within.
- PROCESS_
SESSION_ LEADER_ WORKING_ DIRECTORY - The working directory of the process.
- PROCESS_
START - The time the process started.
- PROCESS_
SUPPLEMENTAL_ GROUPS_ ID - Unique identifier for the group on the system/platform.
- PROCESS_
SUPPLEMENTAL_ GROUPS_ NAME - Name of the group.
- PROCESS_
THREAD_ CAPABILITIES_ EFFECTIVE - This is the set of capabilities used by the kernel to perform permission checks for the thread.
- PROCESS_
THREAD_ CAPABILITIES_ PERMITTED - This is a limiting superset for the effective capabilities that the thread may assume.
- PROCESS_
THREAD_ ID - Thread ID.
- PROCESS_
THREAD_ NAME - Thread name.
- PROCESS_
TITLE - Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.
- PROCESS_
TTY - Information about the controlling TTY device. If set, the process belongs to an interactive session.
- PROCESS_
TTY_ CHAR_ DEVICE_ MAJOR - The major number identifies the driver associated with the device. The character device’s major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as “ttyS0” and “pts/0”. For more details, please refer to the Linux kernel documentation.
- PROCESS_
TTY_ CHAR_ DEVICE_ MINOR - The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them.
- PROCESS_
TTY_ COLUMNS - The number of character columns per line. e.g terminal width Terminal sizes can change, so this value reflects the maximum value for a given IO event. i.e. where event.action = ‘text_output’
- PROCESS_
TTY_ ROWS - The number of character rows in the terminal. e.g terminal height Terminal sizes can change, so this value reflects the maximum value for a given IO event. i.e. where event.action = ‘text_output’
- PROCESS_
UPTIME - Seconds the process has been up.
- PROCESS_
USER_ ID - Unique identifier of the user.
- PROCESS_
USER_ NAME - Short name or login of the user.
- PROCESS_
VPID - Virtual process id. The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within.
- PROCESS_
WORKING_ DIRECTORY - The working directory of the process.