Linux Process

process

Extends the process object to add Linux specific fields

Attributes

CaptionNameTypeDescription
AncestryancestryProcess Entity[]An array of Process Entities describing the extended parentage of this process object. Direct parent information should be expressed through the parent_process attribute. The first array element is the direct parent of this process object. Subsequent list elements go up the process parentage hierarchy. That is, the array is sorted from newest to oldest process. It is recommended to only populate this field for the top-level process object.
Audit User IDauidIntegerThe audit user assigned at login by the audit subsystem.
Command Linecmd_lineStringEntity:COMMAND_LINE

The full command line used to launch an application, service, process, or job. For example: ssh [email protected]. If the command line is unavailable or missing, the empty string '' is to be used.
ContainercontainerContainer[]Entity:CONTAINER
Group:context

The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.
Common Process IdentifiercpidUUIDA unique process identifier that can be assigned deterministically by multiple system data producers.
Created Timecreated_timeTimestampThe time when the process was created/started.
Effective Group IDegidIntegerThe effective group under which this process is running.
Environment Variablesenvironment_variablesEnvironment Variable[]Environment variables associated with the process.
Effective User IDeuidIntegerThe effective user under which this process is running.
FilefileFile[]Entity:FILE

The process file object.
GroupgroupGroup[]The group under which this process is running.
IntegrityintegrityStringThe process integrity level, normalized to the caption of the integrity_id value. In the case of 'Other', it is defined by the event source (Windows only).
Integrity Levelintegrity_idIntegerThe normalized identifier of the process integrity level (Windows only).
  • 0: Unknown (UNKNOWN)
  • 1: Untrusted (UNTRUSTED)
  • 2: Low (LOW)
  • 3: Medium (MEDIUM)
  • 4: High (HIGH)
  • 5: System (SYSTEM)
  • 6: Protected (PROTECTED)
  • 99: Other (OTHER)
LineagelineageFile Path[]Entity:FILE_PATH

The lineage of the process, represented by a list of paths for each ancestor process. For example: ['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami'].

🚧 WARNING: DEPRECATED

Lineage has been deprecated since 1.4.0. Use the ancestry attribute.

Loaded Modulesloaded_modulesString[]The list of loaded module names.
NamenameProcess NameEntity:PROCESS_NAME

The friendly name of the process, for example: Notepad++.
Namespace PIDnamespace_pidIntegerGroup:context

If running under a process namespace (such as in a container), the process identifier within that process namespace.
Parent Processparent_processLinux Process[]Entity:LINUX_PROCESS

The parent process of this process object. It is recommended to only populate this field for the top-level process object, to prevent deep nesting. Additional ancestry information can be supplied in the ancestry attribute.
PathpathStringThe process file path.
Process IDpidIntegerEntity:PROCESS_ID

The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process.
Process Thread IDptidLongThe identifier of the process thread associated with the event, as returned by the operating system.
Raw Dataraw_dataJSONGroup:context

The event data as received from the event source.
Record IDrecord_idStringGroup:primary

Unique identifier for the object
SandboxsandboxStringThe name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps.
SessionsessionSession[]The user session under which this process is running.
Terminated Timeterminated_timeTimestampThe time when the process was terminated.
Thread IDtidIntegerThe identifier of the thread associated with the event, as returned by the operating system.

🚧 WARNING: DEPRECATED

Thread ID has been deprecated since 1.6.0. tid is deprecated in favor of ptid. ptid has type long_t which can accommodate the thread identifiers returned by all platforms (e.g. 64-bit on MacOS).

Unique IDuidStringEntity:LINUX_PROCESS_OBJECT_UID

A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process.
UnmappedunmappedUnmapped[]Data from the source that was not mapped into the schema.
UseruserUser[]Entity:USER

The user under which this process is running.
Working Directoryworking_directoryStringThe working directory of a process.
Extended AttributesxattributesJSONAn unordered collection of zero or more name/value pairs that represent a process extended attribute.

Relationships

Linux Process shown in context

Inbound Relationships

These objects and events reference Linux Process in their attributes:

Outbound Relationships

Linux Process references the following objects and events in its attributes:

This page describes qdm-1.5.1+ocsf-1.6.0