Linux Process

process

Extends the process object to add Linux specific fields

Contents

Attributes

Caption Name Type Is Array Default Description
Audit User ID auid Integer The audit user assigned at login by the audit subsystem.
Command Line cmd_line String The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string '' is to be used.
Container container Container The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.
Created Time created_time Timestamp The time when the process was created/started.
Effective Group ID egid Integer The effective group under which this process is running.
Effective User ID euid Integer The effective user under which this process is running.
File file File The process file object.
Group group Group The group under which this process is running.
Integrity integrity String The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only).
Integrity Level integrity_id Integer The normalized identifier of the process integrity level (Windows only).
0
Unknown
1
Untrusted
2
Low
3
Medium
4
High
5
System
6
Protected
99
Other
Lineage lineage String The lineage of the process, represented by a list of paths for each ancestor process. For example: ['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami'].
Loaded Modules loaded_modules String The list of loaded module names.
Name name String The friendly name of the process, for example: Notepad++.
Namespace PID namespace_pid Integer If running under a process namespace (such as in a container), the process identifier within that process namespace.
Parent Process parent_process Linux Process The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting.
Process ID pid Integer The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process.
Raw Data raw_data JSON The event data as received from the event source.
Record ID record_id String Unique identifier for the object
Sandbox sandbox String The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps.
Session session Session The user session under which this process is running.
Terminated Time terminated_time Timestamp The time when the process was terminated.
Thread ID tid Integer The Identifier of the thread associated with the event, as returned by the operating system.
Unique ID uid String A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process.
Unmapped Data unmapped Unmapped The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.
User user User The user under which this process is running.
Extended Attributes xattributes JSON An unordered collection of zero or more name/value pairs that represent a process extended attribute.

Context

Linux Process

JSON

            
{
  "caption": "Linux Process",
  "description": "Extends the process object to add Linux specific fields",
  "extends": "process",
  "name": "process",
  "observable": 25,
  "profiles": [
    "linux/linux_users"
  ],
  "attributes": {
    "$include": [
      "profiles/linux_users.json"
    ],
    "cmd_line": {
      "requirement": "recommended",
      "caption": "Command Line",
      "observable": 13,
      "description": "The full command line used to launch an application, service, process, or job. For example: <code>ssh user@10.0.0.10</code>. If the command line is unavailable or missing, the empty string <code>''</code> is to be used.",
      "type": "string_t"
    },
    "created_time": {
      "description": "The time when the process was created/started.",
      "requirement": "recommended",
      "caption": "Created Time",
      "type": "timestamp_t"
    },
    "file": {
      "description": "The process file object.",
      "requirement": "recommended",
      "caption": "File",
      "type": "file"
    },
    "integrity": {
      "requirement": "optional",
      "caption": "Integrity",
      "description": "The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only).",
      "type": "string_t",
      "sibling": "integrity"
    },
    "integrity_id": {
      "enum": {
        "0": {
          "caption": "Unknown"
        },
        "1": {
          "caption": "Untrusted"
        },
        "2": {
          "caption": "Low"
        },
        "3": {
          "caption": "Medium"
        },
        "4": {
          "caption": "High"
        },
        "5": {
          "caption": "System"
        },
        "6": {
          "caption": "Protected"
        },
        "99": {
          "caption": "Other"
        }
      },
      "requirement": "optional",
      "caption": "Integrity Level",
      "description": "The normalized identifier of the process integrity level (Windows only).",
      "sibling": "integrity",
      "type": "integer_t"
    },
    "lineage": {
      "requirement": "optional",
      "caption": "Lineage",
      "description": "The lineage of the process, represented by a list of paths for each ancestor process. For example: <code>['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami']</code>.",
      "is_array": true,
      "type": "string_t"
    },
    "loaded_modules": {
      "requirement": "optional",
      "caption": "Loaded Modules",
      "description": "The list of loaded module names.",
      "is_array": true,
      "type": "string_t"
    },
    "name": {
      "description": "The friendly name of the process, for example: <code>Notepad++</code>.",
      "type": "string_t",
      "requirement": "recommended",
      "caption": "Name",
      "name": "process_name_t"
    },
    "parent_process": {
      "requirement": "recommended",
      "caption": "Parent Process",
      "description": "The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting.",
      "type": "process"
    },
    "pid": {
      "requirement": "recommended",
      "caption": "Process ID",
      "observable": 15,
      "description": "The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process.",
      "type": "integer_t"
    },
    "sandbox": {
      "requirement": "optional",
      "caption": "Sandbox",
      "description": "The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps.",
      "type": "string_t"
    },
    "session": {
      "description": "The user session under which this process is running.",
      "requirement": "optional",
      "caption": "Session",
      "type": "session"
    },
    "terminated_time": {
      "description": "The time when the process was terminated.",
      "requirement": "optional",
      "caption": "Terminated Time",
      "type": "timestamp_t"
    },
    "tid": {
      "requirement": "optional",
      "caption": "Thread ID",
      "description": "The Identifier of the thread associated with the event, as returned by the operating system.",
      "type": "integer_t"
    },
    "uid": {
      "description": "A unique identifier for this process assigned by the producer (tool).  Facilitates correlation of a process event with other events for that process.",
      "requirement": "recommended",
      "caption": "Unique ID",
      "type": "string_t"
    },
    "user": {
      "description": "The user under which this process is running.",
      "requirement": "recommended",
      "caption": "User",
      "type": "user"
    },
    "xattributes": {
      "description": "An unordered collection of zero or more name/value pairs that represent a process extended attribute.",
      "requirement": "optional",
      "caption": "Extended Attributes",
      "type": "json_t"
    },
    "container": {
      "group": "context",
      "requirement": "recommended",
      "caption": "Container",
      "description": "The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.",
      "type": "container"
    },
    "namespace_pid": {
      "group": "context",
      "requirement": "recommended",
      "caption": "Namespace PID",
      "description": "If running under a process namespace (such as in a container), the process identifier within that process namespace.",
      "type": "integer_t"
    },
    "raw_data": {
      "group": "context",
      "caption": "Raw Data",
      "description": "The event data as received from the event source.",
      "type": "json_t"
    },
    "record_id": {
      "description": "Unique identifier for the object",
      "group": "primary",
      "requirement": "required",
      "caption": "Record ID",
      "type": "string_t"
    },
    "unmapped": {
      "caption": "Unmapped Data",
      "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
      "type": "unmapped",
      "is_array": true
    },
    "auid": {
      "requirement": "optional",
      "caption": "Audit User ID",
      "description": "The audit user assigned at login by the audit subsystem.",
      "type": "integer_t"
    },
    "egid": {
      "requirement": "optional",
      "caption": "Effective Group ID",
      "description": "The effective group under which this process is running.",
      "type": "integer_t"
    },
    "euid": {
      "requirement": "optional",
      "caption": "Effective User ID",
      "description": "The effective user under which this process is running.",
      "type": "integer_t"
    },
    "group": {
      "description": "The group under which this process is running.",
      "requirement": "recommended",
      "caption": "Group",
      "type": "group"
    }
  },
  "constraints": {
    "at_least_one": [
      "pid",
      "uid"
    ]
  }
}