Linux Process
Extends the process object to add Linux specific fields
Attributes
| Caption | Name | Type | Description |
|---|---|---|---|
| Audit User ID | auid |
Integer | The audit user assigned at login by the audit subsystem. |
| Command Line | cmd_line |
String |
The full command line used to launch an application, service, process, or job. For example: ssh [email protected]. If the command line is unavailable or missing, the empty string '' is to be used.
|
| Container | container |
Container[] | The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd. |
| Created Time | created_time |
Timestamp | The time when the process was created/started. |
| Effective Group ID | egid |
Integer | The effective group under which this process is running. |
| Effective User ID | euid |
Integer | The effective user under which this process is running. |
| File | file |
File[] | The process file object. |
| Group | group |
Group[] | The group under which this process is running. |
| Integrity | integrity |
String | The process integrity level, normalized to the caption of the integrity_id value. In the case of 'Other', it is defined by the event source (Windows only). |
| Integrity Level | integrity_id |
Integer |
The normalized identifier of the process integrity level (Windows only).
|
| Lineage | lineage |
String[] |
The lineage of the process, represented by a list of paths for each ancestor process. For example: ['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami'].
|
| Loaded Modules | loaded_modules |
String[] | The list of loaded module names. |
| Name | name |
String |
The friendly name of the process, for example: Notepad++.
|
| Namespace PID | namespace_pid |
Integer | If running under a process namespace (such as in a container), the process identifier within that process namespace. |
| Parent Process | parent_process |
Linux Process[] | The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. |
| Process ID | pid |
Integer | The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. |
| Raw Data | raw_data |
JSON | The event data as received from the event source. |
| Record ID | record_id |
String | Unique identifier for the object |
| Sandbox | sandbox |
String | The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. |
| Session | session |
Session[] | The user session under which this process is running. |
| Terminated Time | terminated_time |
Timestamp | The time when the process was terminated. |
| Thread ID | tid |
Integer | The Identifier of the thread associated with the event, as returned by the operating system. |
| Unique ID | uid |
String | A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. |
| Unmapped Data | unmapped |
Unmapped[] | The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. |
| User | user |
User[] | The user under which this process is running. |
| Extended Attributes | xattributes |
JSON | An unordered collection of zero or more name/value pairs that represent a process extended attribute. |
Relationships
Inbound Relationships
These objects and events reference Linux Process in their attributes:
- Linux Process
- Process Activity
- Process Remediation Activity
- Memory Activity
- Process Query
- Security Finding
- Actor
- Module Query
- Authentication
- Network Connection Query
- Windows Evidence Artifacts
Outbound Relationships
Linux Process references the following objects and events in its attributes:
This page describes qdm-1.3.2+ocsf-1.3.0
Updated about 1 month ago