Linux Process
process
Extends the process object to add Linux specific fields
Attributes
Caption | Name | Type | Description |
---|---|---|---|
Ancestry | ancestry | Process Entity[] | An array of Process Entities describing the extended parentage of this process object. Direct parent information sould be expressed through the |
Audit User ID | auid | Integer | The audit user assigned at login by the audit subsystem. |
Command Line | cmd_line | String | Entity: |
Container | container | Container[] | Entity: |
Created Time | created_time | Timestamp | The time when the process was created/started. |
Effective Group ID | egid | Integer | The effective group under which this process is running. |
Environment Variables | environment_variables | Environment Variable[] | Environment variables associated with the process. |
Effective User ID | euid | Integer | The effective user under which this process is running. |
File | file | File[] | Entity: |
Group | group | Group[] | The group under which this process is running. |
Integrity | integrity | String | The process integrity level, normalized to the caption of the integrity_id value. In the case of 'Other', it is defined by the event source (Windows only). |
Integrity Level | integrity_id | Integer | The normalized identifier of the process integrity level (Windows only).
|
Lineage | lineage | String[] | The lineage of the process, represented by a list of paths for each ancestor process. For example:
|
Loaded Modules | loaded_modules | String[] | The list of loaded module names. |
Name | name | Process Name | Entity: |
Namespace PID | namespace_pid | Integer | Group: |
Parent Process | parent_process | Linux Process[] | Entity: |
Path | path | String | The process file path. |
Process ID | pid | Integer | Entity: |
Raw Data | raw_data | JSON | Group: |
Record ID | record_id | String | Group: |
Sandbox | sandbox | String | The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. |
Session | session | Session[] | The user session under which this process is running. |
Terminated Time | terminated_time | Timestamp | The time when the process was terminated. |
Thread ID | tid | Integer | The Identifier of the thread associated with the event, as returned by the operating system. |
Unique ID | uid | String | A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. |
Unmapped | unmapped | Unmapped[] | Data from the source that was not mapped into the schema. |
User | user | User[] | Entity: |
Working Directory | working_directory | String | The working directory of a process. |
Extended Attributes | xattributes | JSON | An unordered collection of zero or more name/value pairs that represent a process extended attribute. |
Relationships
Inbound Relationships
These objects and events reference Linux Process in their attributes:
- Process Remediation Activity
- Actor
- Startup Item
- Process Activity
- Network Connection Query
- Evidence Artifacts
- Process Query
- Linux Process
- Security Finding
- Memory Activity
- Authentication
- Module Query
Outbound Relationships
Linux Process references the following objects and events in its attributes:
This page describes ocsf-1.4.0
Updated 9 days ago