Process Object
The process object describes the operating system process that pertains to the event.
| Name | Attribute | Requirement | Type | Description | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Application NameЕxt | app_name | Optional | String | A label that may be associated with this process, for example, the name of the containment sandbox assigned to the process or, for login detection events, the login application (ssh, telnet, sql server, etc.) | ||||||||||||||||||||||||
| Application IDЕxt | app_uid | Optional | String | The identifier of the application that may be associated with this process | ||||||||||||||||||||||||
| Application VersionЕxt | app_ver | Optional | String | The version of the application that may be associated with this process | ||||||||||||||||||||||||
| Command LineЕxt | cmd_line | Recommended | String | The command line used to launch the startup application, service, process or job. | ||||||||||||||||||||||||
| File | file | Recommended | File | The process file object. | ||||||||||||||||||||||||
| Integrity LevelЕxt | integrity_id | Optional | Integer | The process integrity level (Windows only).
|
||||||||||||||||||||||||
| LineageЕxt | lineage | Optional | String Array | The lineage of the actor process. | ||||||||||||||||||||||||
| Loaded ModulesЕxt | loaded_modules | Optional | String Array | The list of loaded module names. | ||||||||||||||||||||||||
| ModuleЕxt | module | Optional | Module | The module (dll) that is associated with the event. | ||||||||||||||||||||||||
| Normalized Command LineЕxt | normalized_cmd_line | Optional | String | The CSIDL normalized command line used to launch the startup application, service, process or job (Windows only). | ||||||||||||||||||||||||
| Process ID | pid | Recommended | Integer | The process identifier, as reported by the operating system. | ||||||||||||||||||||||||
| SandboxЕxt | sandbox_name | Optional | String | The name of the containment jail (sandbox) assigned by the policy to this process/module. | ||||||||||||||||||||||||
| SessionЕxt | session | Optional | Session | The user session from which the process was launched. | ||||||||||||||||||||||||
| Session IDЕxt | session_id | Optional | Integer | The user session ID from which the process was launched. | ||||||||||||||||||||||||
| Start TimeЕxt | start_time | Recommended | Datetime | The time that the process started. Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC. |
||||||||||||||||||||||||
| Thread ID | tid | Recommended | Integer | The Identifier of the thread associated with the event, as returned by the operating system. | ||||||||||||||||||||||||
| Process Unique IDЕxt | uid | Optional | String | The unique identifier of the process. | ||||||||||||||||||||||||
| User | user | Recommended | User | The user that has launched the process. | ||||||||||||||||||||||||
| Extended AttributesЕxt | xattributes | Optional | JSON | An unordered collection of zero or more name/value pairs that represent a process extended attribute. |