Linux Process
Extends the process object to add Linux specific fields
Attributes
Caption | Name | Type | Description |
---|---|---|---|
Audit User ID | auid |
Integer | The audit user assigned at login by the audit subsystem. |
Command Line | cmd_line |
String |
The full command line used to launch an application, service, process, or job. For example: ssh [email protected] . If the command line is unavailable or missing, the empty string '' is to be used.
|
Container | container |
Container[] | The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd. |
Created Time | created_time |
Timestamp | The time when the process was created/started. |
Effective Group ID | egid |
Integer | The effective group under which this process is running. |
Effective User ID | euid |
Integer | The effective user under which this process is running. |
File | file |
File[] | The process file object. |
Group | group |
Group[] | The group under which this process is running. |
Integrity | integrity |
String | The process integrity level, normalized to the caption of the integrity_id value. In the case of 'Other', it is defined by the event source (Windows only). |
Integrity Level | integrity_id |
Integer |
The normalized identifier of the process integrity level (Windows only).
|
Lineage | lineage |
String[] |
The lineage of the process, represented by a list of paths for each ancestor process. For example: ['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami'] .
|
Loaded Modules | loaded_modules |
String[] | The list of loaded module names. |
Name | name |
String |
The friendly name of the process, for example: Notepad++ .
|
Namespace PID | namespace_pid |
Integer | If running under a process namespace (such as in a container), the process identifier within that process namespace. |
Parent Process | parent_process |
Linux Process[] | The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. |
Process ID | pid |
Integer | The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. |
Raw Data | raw_data |
JSON | The event data as received from the event source. |
Record ID | record_id |
String | Unique identifier for the object |
Sandbox | sandbox |
String | The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. |
Session | session |
Session[] | The user session under which this process is running. |
Terminated Time | terminated_time |
Timestamp | The time when the process was terminated. |
Thread ID | tid |
Integer | The Identifier of the thread associated with the event, as returned by the operating system. |
Unique ID | uid |
String | A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. |
Unmapped Data | unmapped |
Unmapped[] | The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. |
User | user |
User[] | The user under which this process is running. |
Extended Attributes | xattributes |
JSON | An unordered collection of zero or more name/value pairs that represent a process extended attribute. |
Relationships
Inbound Relationships
These objects and events reference Linux Process in their attributes:
- Linux Process
- Process Activity
- Process Remediation Activity
- Memory Activity
- Process Query
- Security Finding
- Actor
- Module Query
- Authentication
- Network Connection Query
- Windows Evidence Artifacts
Outbound Relationships
Linux Process references the following objects and events in its attributes:
This page describes qdm-1.3.2+ocsf-1.3.0
Updated about 2 months ago