The process object describes the operating system process that pertains to the event.
|A label that may be associated with this process, for example, the name of the containment sandbox assigned to the process or, for login detection events, the login application (ssh, telnet, sql server, etc.)
|The identifier of the application that may be associated with this process
|The version of the application that may be associated with this process
|The command line used to launch the startup application, service, process or job.
|The process file object.
|The process integrity level (Windows only).
|The lineage of the actor process.
|The list of loaded module names.
|The module (dll) that is associated with the event.
|Normalized Command LineЕxt
|The CSIDL normalized command line used to launch the startup application, service, process or job (Windows only).
|The process identifier, as reported by the operating system.
|The name of the containment jail (sandbox) assigned by the policy to this process/module.
|The user session from which the process was launched.
|The user session ID from which the process was launched.
|The time that the process started.
Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC.
|The Identifier of the thread associated with the event, as returned by the operating system.
|Process Unique IDЕxt
|The unique identifier of the process.
|The user that has launched the process.
|An unordered collection of zero or more name/value pairs that represent a process extended attribute.