process
Contents
process¶
Event fields used to define metadata about processes in an system. Isolated memory address space that is used to run a program. Inside a processes’ address space the system can load code modules, but must have at latest one thread running to do so.
Attributes¶
Name |
Type |
Description |
Sample Value |
|---|---|---|---|
process_call_trace |
string |
Stack trace of where open process is called |
```C:\WINDOWS\SYSTEM32\ntdll.dll+a0344 |
process_command_line |
string |
Command arguments that were were executed by the process in the endpoint. |
|
process_company |
string |
Company name metadata of the Image file |
|
process_current_directory |
string |
The full path to the current directory for the process. The string can also specify a UNC path. |
|
process_file_description |
string |
Description of the Image file |
|
process_file_name |
string |
Name of the Image file or executable file used to define the initial code and data mapped into the process’ virtual address space. This does not contain the full patth of the Image file. |
|
process_file_path |
string |
The complete path and name of the Image file or executable file used to define the initial code and data mapped into the process’ virtual address space. |
|
process_file_product |
string |
The Image’s file product name |
|
process_file_version |
string |
Version of the Image file |
|
process_granted_access |
string |
granted access code requested/used to open a target process |
|
process_guid |
string |
Process global unique identifer used to identify a process across other operating systems. This can be created by group hashing values such as Process Name, Process Id, Process Start Time, Process Path and even Computer Name. Datasets such as Sysmon call this the ProcessGuid. This is similar to the output from the UUIDGEN command. |
|
process_hash_imphash |
string |
IMPHASH hash of the image/binary/file |
|
process_hash_md5 |
string |
MD5 hash of the image/binary/file |
|
process_hash_sha1 |
string |
SHA1 hash of the image/binary/file |
|
process_hash_sha256 |
string |
SHA256 hash of the image/binary/file |
|
process_hash_sha512 |
string |
SHA512 hash of the image/binary/file |
|
process_id |
integer |
Process unique identifier used by the current operating system to identify a process. |
|
process_injected_address |
string |
The memory address where the subprocess is injected |
|
process_integrity_level |
string |
Integrity label assigned to a process |
|
process_is_hidden |
boolean |
Describes if the process is hidden. |
|
process_name |
string |
Name of the process derived from the Image file or executable file used to define the initial code and data mapped into the process’ virtual address space. This does not contain the full patth of the Image file. |
|
process_parent_call_trace |
string |
Stack trace of where open process is called |
```C:\WINDOWS\SYSTEM32\ntdll.dll+a0344 |
process_parent_command_line |
string |
Command arguments that were were executed by the process in the endpoint. |
|
process_parent_company |
string |
Company name metadata of the Image file |
|
process_parent_current_directory |
string |
The full path to the current directory for the process. The string can also specify a UNC path. |
|
process_parent_file_description |
string |
Description of the Image file |
|
process_parent_file_name |
string |
Name of the Image file or executable file used to define the initial code and data mapped into the process’ virtual address space. This does not contain the full patth of the Image file. |
|
process_parent_file_path |
string |
The complete path and name of the Image file or executable file used to define the initial code and data mapped into the process’ virtual address space. |
|
process_parent_file_product |
string |
The Image’s file product name |
|
process_parent_file_version |
string |
Version of the Image file |
|
process_parent_granted_access |
string |
granted access code requested/used to open a target process |
|
process_parent_guid |
string |
Process global unique identifer used to identify a process across other operating systems. This can be created by group hashing values such as Process Name, Process Id, Process Start Time, Process Path and even Computer Name. Datasets such as Sysmon call this the ProcessGuid. This is similar to the output from the UUIDGEN command. |
|
process_parent_hash_imphash |
string |
IMPHASH hash of the image/binary/file |
|
process_parent_hash_md5 |
string |
MD5 hash of the image/binary/file |
|
process_parent_hash_sha1 |
string |
SHA1 hash of the image/binary/file |
|
process_parent_hash_sha256 |
string |
SHA256 hash of the image/binary/file |
|
process_parent_hash_sha512 |
string |
SHA512 hash of the image/binary/file |
|
process_parent_id |
integer |
Process unique identifier used by the current operating system to identify a process. |
|
process_parent_injected_address |
string |
The memory address where the subprocess is injected |
|
process_parent_integrity_level |
string |
Integrity label assigned to a process |
|
process_parent_is_hidden |
boolean |
Describes if the process is hidden. |
|
process_parent_name |
string |
Name of the process derived from the Image file or executable file used to define the initial code and data mapped into the process’ virtual address space. This does not contain the full patth of the Image file. |
|