Linux Process

An array of Process Entities describing the extended parentage of this process object. Direct parent information should be expressed through the parent_process attribute. The first array element is the direct parent of this process object. Subsequent list elements go up the process parentage hierarchy. That is, the array is sorted from newest to oldest process. It is recommended to only populate this field for the top-level process object.

The audit user assigned at login by the audit subsystem.

Entity:COMMAND_LINE
The full command line used to launch an application, service, process, or job. For example: ssh [email protected]. If the command line is unavailable or missing, the empty string '' is to be used.

Entity:CONTAINER
Group:context
The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.

A unique process identifier that can be assigned deterministically by multiple system data producers.

The time when the process was created/started.

The effective group under which this process is running.

Environment variables associated with the process.

The effective user under which this process is running.

Entity:FILE
The process file object.

The group under which this process is running.

The process integrity level, normalized to the caption of the integrity_id value. In the case of 'Other', it is defined by the event source (Windows only).

The normalized identifier of the process integrity level (Windows only).

• 0: Unknown (UNKNOWN)
• 1: Untrusted (UNTRUSTED)
• 2: Low (LOW)
• 3: Medium (MEDIUM)
• 4: High (HIGH)
• 5: System (SYSTEM)
• 6: Protected (PROTECTED)
• 99: Other (OTHER)

Entity:FILE_PATH
The lineage of the process, represented by a list of paths for each ancestor process. For example: ['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami'].

🚧 WARNING: DEPRECATED

Lineage has been deprecated since 1.4.0. Use the ancestry attribute.

The list of loaded module names.

Entity:PROCESS_NAME
The friendly name of the process, for example: Notepad++.

Group:context
If running under a process namespace (such as in a container), the process identifier within that process namespace.

Entity:LINUX_PROCESS
The parent process of this process object. It is recommended to only populate this field for the top-level process object, to prevent deep nesting. Additional ancestry information can be supplied in the ancestry attribute.

The process file path.

Entity:PROCESS_ID
The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process.

The identifier of the process thread associated with the event, as returned by the operating system.

Group:context
The event data as received from the event source.

Group:primary
Unique identifier for the object

The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps.

The user session under which this process is running.

The time when the process was terminated.

The identifier of the thread associated with the event, as returned by the operating system.

🚧 WARNING: DEPRECATED

Thread ID has been deprecated since 1.6.0. tid is deprecated in favor of ptid. ptid has type long_t which can accommodate the thread identifiers returned by all platforms (e.g. 64-bit on MacOS).

Entity:LINUX_PROCESS_OBJECT_UID
A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process.

Data from the source that was not mapped into the schema.

Entity:USER
The user under which this process is running.

The working directory of a process.

An unordered collection of zero or more name/value pairs that represent a process extended attribute.