Process History Event

Process History events report when a process had launched, injected, opened or terminated another process, successful or otherwise.
Name Attribute Group Requirement Type Description
Event ID event_id Classification Reserved Integer The event ID identifies the event's semantics, structure and outcome.
8201000Process History: Unknown
8201001Process History: Launched
8201002Process History: Terminated
8201003Process History: Open
8201004Process History: Injected
8201005Process History: Set User ID
Severity severity_id Classification Required Integer The severity of the event.
0UnknownThe event severity is not known.
1InformationalPurely informational. No action needed.
2WarningThe user decides if action is needed.
3MinorAction is required but the situation is not serious at this time.
4MajorAction is required immediately.
5CriticalAction is required immediately and the scope is broad.
6FatalAn error occurred but it is too late to take remedial action.
Version version Classification Required String The event type version, in the form major.minor. For example: 1.7. Event consumers use the version to determine what the event attributes represent.
Type type_id Classification Required Integer The event type.
8201Process HistoryProcess History events report when a process had launched, injected, opened or terminated another process, successful or otherwise.
Category category_id Classification Required Integer The event type category.
5System Activity
Type StringЕxt type Classification Optional String The event type.
Disposition id Classification Required Integer The outcome of the event.
0Unknown
1Launched
2Terminated
3Open
4Injected
5Set User ID
Operation operation Primary Optional String The OS operation that initiated the event; for example, "CreateRemoteThread" or "NtUserSetWinEventHook".
AttacksЕxt attacks Primary Optional Attack Array The array of attacks that are associated with the event.
Correlation IDЕxt correlation_uid Primary Optional String The unique identifier used to correlate events.
EventsЕxt events Primary Optional JSON Array The additional events that pertain to the event or incident.
Event Unique ID uuid Primary Reserved String The system-assigned unique identifier of an event occurrence.
LineageЕxt lineage Primary Optional String Array The lineage of the actor process.
CybOxЕxt cybox Primary Reserved Cyber Observable eXpression The Cyber Observable eXpression (CybOX TM) attributes.
AnalysisЕxt analysis Primary Optional String The anti-malware emulation analysis.
PolicyЕxt policy Primary Optional Policy The policy that pertains to the event.
Actor actor Primary Recommended Process The process that performed the operation or action on the target object. For example, the process that could have created a new file or violated a policy.
SessionsЕxt sessions Primary Optional Session Array The user sessions on the device.
Log NameЕxt log_name Primary Reserved String The name of the database, index, or archive where the event was logged.
Parent ProcessЕxt parent Primary Optional Process The parent process of the actor process.
Responsible Actor responsible_actor Primary Recommended Process The process that is responsible for triggering the detection. For Example: The untrusted ancestor process or the process that injected a thread into the actor process.
Process process Primary Recommended Process The process that was launched, injected, opened or terminated.
Message IDЕxt message_id Message Optional String The numeric representation of the message, ordinarily used for translation purposes.
Message CodeЕxt message_code Message Optional String The coded string representation of the message, ordinarily used for trouble shooting.
Message message Message Recommended String The description of the event.
Composite EventЕxt composite Occurrence Optional Integer The type of composite event. See the Event Logging API for more information.
1IntactThe composite event is stored as-is.
2ExpandedThe composite event is expanded into multiple events.
Event Time time Occurrence Reserved Datetime The event occurrence time (Device Time) adjusted to the server clock.

Note: The internal time format is the number of milliseconds since 01/01/1970 00:00:00 UTC.

CountЕxt count Occurrence Optional Integer For aggregated events, the number of times that the event occurred during the Device Time to Device End Time period.
Sequence NumberЕxt seq_num Occurrence Recommended Integer A 32-bit positive number that indicates the order of events sent by the client.

Note: The first event that a client sends has a Sequence Number of 1 and the client increments the Sequence Number with each subsequent event. For UNPACK (2) composite events, each event in the events array must have a unique seq_num, such as events[i+1].seq_num = events[i].seq_num + 1. When the sequence number wraps around, based on java.lang.Integer.MAX_VALUE, it must start from 1. The event service records sequence numbers to detect lost events.

End TimeЕxt end_time Occurrence Reserved Datetime For aggregate events, the Device End Time adjusted to the server clock.
Device Time device_time Occurrence Required Datetime The time that the event occurred at the device.

Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC. The event producer or the event collection agent that detects the event provides the event Device Time.

Collected TimeЕxt log_time Occurrence Reserved Datetime The time that the system collected the event.

Note: The internal time format is the number of milliseconds since 01/01/1970 00:00:00 UTC.

Device End TimeЕxt device_end_time Occurrence Optional Datetime The time of the last aggregated event.

Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC, and this value must be greater than or equal to the Device Time (device_time) value.

Time Zone timezone Occurrence Recommended Integer Returns a Long value that represents the difference in minutes of between the local time in this time zone and the Coordinated Universal Time (UTC).

Ex: In a state adopting daylight time in the Pacific time zone, the Bias is 480 minutes and DaylightBias is -60 minutes. To determine the time in UTC for June 11, 2 A.M. PST, add a Bias of (480/60) hours and a DaylightBias of -(60/60) hours to the local time June 11, 2 A.M. The time in UTC is June 11, 9 A.M.

Device Virtual Host TypeЕxt device_vhost_id Origination Optional Integer The device virtual host type.
0Unknown
1None
10VMware
11Hyper-V®
12Xen
13KVM
14QEMU
15VirtualBox
16Solaris Zones
30AWS
31Azure
32GCP
33OCP
50Docker
51Cloud Foundry
52LXC
Feature IDЕxt feature_uid Origination Recommended String The unique identifier of the feature originating the event.
Device OS Country CodeЕxt device_os_country Origination Optional String The operating system country code as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes.
Domain IDЕxt domain_uid Origination Recommended String The unique domain identifier.
Impersonator Customer IDЕxt impersonator_customer_uid Origination Optional String The unique customer identifier of the impersonating agent.
ContainerЕxt container Origination Optional Container The container that pertains to the event.
Device OS Service Pack VersionЕxt device_os_sp_ver Origination Optional String The version number of the latest Service Pack.
Impersonator Domain IDЕxt impersonator_domain_uid Origination Optional String The unique domain identifier of the impersonating agent.
Device Network InformationЕxt device_networks Origination Recommended Network Info Array The network information objects that are associated with the device, one for each MAC address/IP address combination.

Note: The first element of the array is the network information that pertains to the event.

User IDЕxt user_uid Origination Recommended String The unique identifier of the user associated with the event.
Compliant DeviceЕxt device_is_compliant Origination Optional Boolean The event occurred on a compliant device.
Device Virtual Host Type StringЕxt device_vhost Origination Optional String The device virtual host type string.
Device SubnetЕxt device_subnet Origination Optional IP Address The subnet IP address. For example: "255.0.0.0".
Feature PathЕxt feature_path Origination Recommended String The path of the feature originating the event.
Feature TypeЕxt feature_type Origination Recommended String The type of feature.

Device GroupЕxt device_group Origination Optional String The full path of the group to which the device belongs. For example: West Coast\Windows Laptops.
Product Version product_ver Origination Recommended String The version of the product.

Note: The version is as defined by the product SKU, originating the event. For example: "2013.1.3-beta".

Product LanguageЕxt product_lang Origination Recommended String The two letter lower case language codes as defined by ISO 639-1. For example: "en" (English), "de" (German), or "fr" (French).
Device BIOS ManufacturerЕxt device_hw_bios_manufacturer Origination Optional String The BIOS manufacturer. For example: "LENOVO".
Device Org Unit IDЕxt org_unit_uid Origination Recommended String The unique identifier of the organizational unit.
Device Org UnitЕxt device_org_unit Origination Recommended String The name of the org unit to which the device belongs.
Device OS TypeЕxt device_os_type_id Origination Recommended Integer The type of the operating system.
0Unknown
100Windows
200Linux
300Solaris
301AIX
302HP-UX
400Macintosh
500iOS
501Android
502Windows Mobile
503iPadOS
1001Other
Device DomainЕxt device_domain Origination Recommended String The network domain where the device resides. For example: "internal.somecompany.com".
Personal DeviceЕxt device_is_personal Origination Optional Boolean The event occurred on a personal device.
User PresentЕxt is_user_present Origination Optional Boolean The indication of whether the user was logged on at event generation time.
Device OS LanguageЕxt device_os_lang Origination Optional String The lowercase two-letter ISO language code as defined by ISO 639-1. For example: "en", "de", or "fr".
Product DataЕxt product_data Origination Optional JSON The event attributes that are specific to the reporting product.
Device OS BuildЕxt device_os_build Origination Optional String The operating system build number.
User Name user_name Origination Recommended String The name of the user that originated or caused the event (if the event involves a user) or the user on whose behalf the event occurred.
Product IDЕxt product_uid Origination Recommended String The unique identifier of the product originating the event.
Device AliasЕxt device_alias_name Origination Optional String The alternate device name, ordinarily as assigned by an administrator.
Device IMEIЕxt device_imei Origination Optional String The International Mobile Station Equipment Identifier that is associated with the device.
Device CaptionЕxt device_cap Origination Optional String A short description or caption of the device. For example: "ATP Scanner 1 " or " CSP Manager".
Device GatewayЕxt device_gateway Origination Optional IP Address The gateway IP address. For example: "10.0.0.1".
Impersonator User IDЕxt impersonator_user_uid Origination Optional String The unique user identifier of the impersonating agent.
Device BIOS DateЕxt device_hw_bios_date Origination Optional String The BIOS date. For example: "03/31/16".
Device TypeЕxt device_type Origination Recommended String The type of device originating the event. For example: "unknown", "server", "desktop", "laptop", "tablet", "mobile", "virtual", "browser", or "other".
Device LocationЕxt device_location Origination Optional Location The location of the device at the time of the event.
Device MAC AddressesЕxt device_mac Origination Optional String The Media Access Control (MAC) address that is associated with the device.
Device OS BitsЕxt device_os_bits Origination Optional Integer The number of processor bits. For example: 64 or 128.
Device SiteЕxt device_site Origination Recommended String The name of the site to which the device belongs.
Reference Event Log TimeЕxt ref_log_time Origination Optional Datetime The log time of the reference event.

Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC.

Feature NameЕxt feature_name Origination Recommended String The name of the feature originating the event.

Note: The Feature Name is ordinarily defined by the product SKU, but it could be any other name that identifies the software component originating the event. For example: "Live Update".

Raw DataЕxt raw_data Origination Optional String The event data as received.
Unmanaged DeviceЕxt device_is_unmanaged Origination Optional Boolean The event occurred on an unmanaged device.
Device Group NameЕxt device_group_name Origination Optional String The name of the leaf group to which the device belongs. For example: Windows Laptops.
Device Cloud VMЕxt device_cloud_vm Origination Optional Cloud Hosted VM The cloud-hosted virtual machine.
Customer IDЕxt customer_uid Origination Recommended String The unique customer identifier.
Device IDЕxt device_uid Origination Recommended String The unique identifier of the device.
Device Proxy NameЕxt device_proxy_name Origination Optional String The proxy host name. For example: "localproxy".
SourceЕxt source Origination Optional Event Source The monitored source that originated the event.
Device Reference IDЕxt device_ref_uid Origination Optional String The unique reference identifier of the device.
Device MD5Еxt device_name_md5 Origination Optional String The MD5 hash of the device name.

Note: The hash must be of the lower-case device name.

Device OS EditionЕxt device_os_edition Origination Optional String The operating system edition. For example: "Professional".
Device Domain IDЕxt device_domain_uid Origination Recommended String The unique identifier of the domain where the device resides.
Device IP Address device_ip Origination Recommended IP Address The IP address that pertains to the event, in either IPv4 or IPv6 format.

Note: Because the IP address of a device can change, the IP address must be captured when the event occurs, which may be different from when the event is sent. If additional network information is pertinent to the event, also populate Device Network Information (device_networks).

Original DataЕxt orig_data Origination Reserved String The pre-normalized event data.
Product Name product_name Origination Recommended String The name of the product originating the event.
User user Origination Recommended User The user that pertains to the event. Can be used to provide information in addition to User Name.
Device DescriptionЕxt device_desc Origination Optional String The description of the device, ordinarily as reported by the operating system.
Device Processor TypeЕxt device_hw_cpu_type Origination Optional String The processor type. For example: "x86 Family 6 Model 37 Stepping 5".
Device Proxy IPЕxt device_proxy_ip Origination Optional IP Address The proxy IP address.
Device OS Service PackЕxt device_os_sp_name Origination Optional String The name of the latest Service Pack.
Device BIOS VersionЕxt device_hw_bios_ver Origination Optional String The BIOS version. For example: "LENOVO G5ETA2WW (2.62)".
Feature VersionЕxt feature_ver Origination Recommended String The version of the feature originating the event. For example: "2014.1.3.64".
Reference Event Log NameЕxt ref_log_name Origination Optional String The log name of the reference event.
Device Public IPЕxt device_public_ip Origination Reserved IP Address The public IP address.

Note: The Device Public IP is populated with the value of the x-forwarded-for message header, if present.

.
Device OS VersionЕxt device_os_ver Origination Optional String The version of the OS running on the device that originated the event. For example: "Windows 10", "OS X 10.7", or "iOS 9".
Original Event IDЕxt ref_orig_uid Origination Optional String The unique identifier of the external event that corresponds to Reference Event ID (ref_uid) ,if applicable.
Sub-feature NameЕxt subfeature_name Origination Optional String The name of the sub-feature originating the event.
Customer Registry IDЕxt customer_registry_uid Origination Optional String The unique Symantec customer registry identifier.
Reference Event IDЕxt ref_uid Origination Optional String The unique external original message or event identifier that was used to record the event. For example: the Windows Event Log Event ID, the SEPM event UID, or the SYSLOG msgid.
Device Name device_name Origination Recommended String The name of the device originating the event.

Note: The Device Name is ordinarily the host name, but could be any other string that helps to identify the device, such as a phone number; for example "computer.domain" or "310.555.1234".

Trusted DeviceЕxt device_is_trusted Origination Optional Boolean The event occurred on a trusted device.
Device OSЕxt device_os_name Origination Recommended String The name of the operating system running on the device from which the event originated. For example: "Windows 10 Home Basic", "Mac OS X", "iOS", or "Android".
Log LevelЕxt log_level Status Optional String The log level as reported by the logger subsystem.
Stack TraceЕxt status_stack_trace Status Optional String The list of calls that the application was making when an exception was thrown.
Status DetailsЕxt status_detail Status Optional String The status details.
OS Code SourceЕxt status_os_src Status Optional Integer The indication of whether the OS Code (status_os) returned to the application for the requested operation was returned by the OS (0) or generated by the security product (1).
OS CodeЕxt status_os Status Optional String The operating system result code.
Thread NameЕxt status_thread_name Status Optional String The name of the thread that pertains to the status.
Status status_id Status Optional Integer The cross-platform event status.
0Unknown
1Success
2Failure
3In Progress
4Partial Success
RemediationЕxt remediation Remediation Optional String The remediation information.
Remediation ReferenceЕxt remediation_ref Remediation Optional String The reference to remediation information.

Note: The information can be either internal or external to the reporting product.

Remediation IDЕxt remediation_uid Remediation Optional String The unique identifier of the remediation information.
RemediatedЕxt remediated Remediation Optional Boolean The indication of whether the event was remediated.
Logging Device TimeЕxt logging_device_post_time Collector Optional Datetime The time when the event was logged by the logging device.

Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC.

Logging Device IPЕxt logging_device_ip Collector Optional IP Address The IP address of the device that logged the event.
Collector Device NameЕxt collector_device_name Collector Optional String The name of the collector device.
Logging Device NameЕxt logging_device_name Collector Optional String The name of the device that logged the event.
Collector IDЕxt collector_uid Collector Optional String The unique identifier of the collector.
Collector NameЕxt collector_name Collector Optional String The name of the collector.
Logging Device IDЕxt logging_device_ref_uid Collector Optional String The unique identifier of the device that collects logs from other devices.
Proxy Device IPЕxt proxy_device_ip Collector Optional IP Address The IP address of the proxy device that is collecting events from other devices. For example: the IP address of a Windows Domain controller. The format is either IPv4 or IPv6.
Collector Device IPЕxt collector_device_ip Collector Optional IP Address The IP address of the collector device in either IPv4 or IPv6 format.
Proxy Device NameЕxt proxy_device_name Collector Optional String The name of the proxy device that is collecting events from other devices.
STIC VersionЕxt stic_version STIC Optional String The version of the STIC library.
STIC Hardware IDsЕxt stic_legacy_hw_uids STIC Optional String Array The list of Hardware IDs that have been associated with the device.
STIC Control Data IDЕxt stic_schema_id STIC Optional String The telemetry submission control data identifier, represented as an 8 byte hexadecimal string.
STIC Enterprise IDsЕxt stic_legacy_ent_uids STIC Optional String Array The list of Enterprise IDs (related to license entitlement) that have been associated with the device.
STIC PIIЕxt stic_has_pii STIC Optional Boolean The indication of whether the event has any Personally Identifiable Information (PII).
STIC Hardware IDЕxt stic_hw_uid STIC Optional String The device hardware ID.
STIC Machine IDsЕxt stic_legacy_uids STIC Optional String Array The list of Machine IDs that have been associated with the device.
STIC IP HashЕxt stic_ip_hash STIC Optional String The STIC hash of the IP address.
STIC Machine IDЕxt stic_uid STIC Optional String The device Machine ID.
Detection VersionЕxt content_ver Optional String The version of the engine content producing FDR events.