#[non_exhaustive]pub struct Process {Show 32 fields
pub ancestry: Option<Vec<ProcessEntity>>,
pub auid: Option<i64>,
pub cmd_line: Option<String>,
pub container: Option<Box<Container>>,
pub cpid: Option<String>,
pub created_time: Option<i64>,
pub created_time_dt: Option<String>,
pub egid: Option<i64>,
pub environment_variables: Option<Vec<EnvironmentVariable>>,
pub euid: Option<i64>,
pub file: Option<Box<File>>,
pub group: Option<Box<Group>>,
pub hosted_services: Option<Vec<WinWinService>>,
pub integrity: Option<String>,
pub integrity_id: Option<i64>,
pub lineage: Option<Vec<String>>,
pub loaded_modules: Option<Vec<String>>,
pub name: Option<String>,
pub namespace_pid: Option<i64>,
pub parent_process: Option<Box<Process>>,
pub path: Option<String>,
pub pid: Option<i64>,
pub ptid: Option<i64>,
pub sandbox: Option<String>,
pub session: Option<Box<Session>>,
pub terminated_time: Option<i64>,
pub terminated_time_dt: Option<String>,
pub tid: Option<i64>,
pub uid: Option<String>,
pub user: Option<Box<User>>,
pub working_directory: Option<String>,
pub xattributes: Option<Value>,
}Expand description
Process
Extends the process object to add Windows specific fields.
[] Category: | Name: process
Constraints:
- at_least_one:
[pid,uid,cpid]
Fields (Non-exhaustive)§
This struct is marked as non-exhaustive
Struct { .. } syntax; cannot be matched against without a wildcard ..; and struct update syntax will not work.ancestry: Option<Vec<ProcessEntity>>Ancestry
An array of Process Entities describing the extended parentage of this process object. Direct parent information should be expressed through the parent_process attribute. The first array element is the direct parent of this process object. Subsequent list elements go up the process parentage hierarchy. That is, the array is sorted from newest to oldest process. It is recommended to only populate this field for the top-level process object.
optional
auid: Option<i64>Audit User ID
The audit user assigned at login by the audit subsystem.
optional
cmd_line: Option<String>Command Line
The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string ‘’ is to be used.
recommended
container: Option<Box<Container>>Container
The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.
recommended
cpid: Option<String>Common Process Identifier
A unique process identifier that can be assigned deterministically by multiple system data producers.
recommended
created_time: Option<i64>Created Time
The time when the process was created/started.
recommended
created_time_dt: Option<String>Created Time
The time when the process was created/started.
optional
egid: Option<i64>Effective Group ID
The effective group under which this process is running.
optional
environment_variables: Option<Vec<EnvironmentVariable>>Environment Variables
Environment variables associated with the process.
optional
euid: Option<i64>Effective User ID
The effective user under which this process is running.
optional
file: Option<Box<File>>File
The process file object.
recommended
group: Option<Box<Group>>Group
The group under which this process is running.
recommended
hosted_services: Option<Vec<WinWinService>>Hosted Services
The Windows services that this process is hosting.
optional
integrity: Option<String>Integrity
The process integrity level, normalized to the caption of the integrity_id value. In the case of ‘Other’, it is defined by the event source (Windows only).
optional
integrity_id: Option<i64>Integrity Level
The normalized identifier of the process integrity level (Windows only).
optional
lineage: Option<Vec<String>>Lineage
The lineage of the process, represented by a list of paths for each ancestor process. For example: [‘/usr/sbin/sshd’, ‘/usr/bin/bash’, ‘/usr/bin/whoami’].
optional
loaded_modules: Option<Vec<String>>Loaded Modules
The list of loaded module names.
optional
name: Option<String>Name
The friendly name of the process, for example: Notepad++.
recommended
namespace_pid: Option<i64>Namespace PID
If running under a process namespace (such as in a container), the process identifier within that process namespace.
recommended
parent_process: Option<Box<Process>>Parent Process
The parent process of this process object. It is recommended to only populate this field for the top-level process object, to prevent deep nesting. Additional ancestry information can be supplied in the ancestry attribute.
recommended
path: Option<String>Path
The process file path.
optional
pid: Option<i64>Process ID
The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process.
recommended
ptid: Option<i64>Process Thread ID
The identifier of the process thread associated with the event, as returned by the operating system.
optional
sandbox: Option<String>Sandbox
The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps.
optional
session: Option<Box<Session>>Session
The user session under which this process is running.
optional
terminated_time: Option<i64>Terminated Time
The time when the process was terminated.
optional
terminated_time_dt: Option<String>Terminated Time
The time when the process was terminated.
optional
tid: Option<i64>Thread ID
The identifier of the thread associated with the event, as returned by the operating system.
optional
uid: Option<String>Unique ID
A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process.
recommended
user: Option<Box<User>>User
The user under which this process is running.
recommended
working_directory: Option<String>Working Directory
The working directory of a process.
optional
xattributes: Option<Value>Extended Attributes
An unordered collection of zero or more name/value pairs that represent a process extended attribute.
optional