Linux Process
process
Extends the process object to add Linux specific fields
Attributes
| Caption | Name | Type | Description |
|---|---|---|---|
| Ancestry | ancestry | Process Entity[] | An array of Process Entities describing the extended parentage of this process object. Direct parent information should be expressed through the parent_process attribute. The first array element is the direct parent of this process object. Subsequent list elements go up the process parentage hierarchy. That is, the array is sorted from newest to oldest process. It is recommended to only populate this field for the top-level process object. |
| Audit User ID | auid | Integer | The audit user assigned at login by the audit subsystem. |
| Command Line | cmd_line | String | Entity:COMMAND_LINEThe full command line used to launch an application, service, process, or job. For example: ssh [email protected]. If the command line is unavailable or missing, the empty string '' is to be used. |
| Container | container | Container[] | Entity:CONTAINERGroup: contextThe information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd. |
| Common Process Identifier | cpid | UUID | A unique process identifier that can be assigned deterministically by multiple system data producers. |
| Created Time | created_time | Timestamp | The time when the process was created/started. |
| Effective Group ID | egid | Integer | The effective group under which this process is running. |
| Environment Variables | environment_variables | Environment Variable[] | Environment variables associated with the process. |
| Effective User ID | euid | Integer | The effective user under which this process is running. |
| File | file | File[] | Entity:FILEThe process file object. |
| Group | group | Group[] | The group under which this process is running. |
| Integrity | integrity | String | The process integrity level, normalized to the caption of the integrity_id value. In the case of 'Other', it is defined by the event source (Windows only). |
| Integrity Level | integrity_id | Integer | The normalized identifier of the process integrity level (Windows only).
|
| Lineage | lineage | File Path[] | Entity:FILE_PATHThe lineage of the process, represented by a list of paths for each ancestor process. For example: ['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami'].
|
| Loaded Modules | loaded_modules | String[] | The list of loaded module names. |
| Name | name | Process Name | Entity:PROCESS_NAMEThe friendly name of the process, for example: Notepad++. |
| Namespace PID | namespace_pid | Integer | Group:contextIf running under a process namespace (such as in a container), the process identifier within that process namespace. |
| Parent Process | parent_process | Linux Process[] | Entity:LINUX_PROCESSThe parent process of this process object. It is recommended to only populate this field for the top-level process object, to prevent deep nesting. Additional ancestry information can be supplied in the ancestry attribute. |
| Path | path | String | The process file path. |
| Process ID | pid | Integer | Entity:PROCESS_IDThe process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. |
| Process Thread ID | ptid | Long | The identifier of the process thread associated with the event, as returned by the operating system. |
| Raw Data | raw_data | JSON | Group:contextThe event data as received from the event source. |
| Record ID | record_id | String | Group:primaryUnique identifier for the object |
| Sandbox | sandbox | String | The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. |
| Session | session | Session[] | The user session under which this process is running. |
| Terminated Time | terminated_time | Timestamp | The time when the process was terminated. |
| Thread ID | tid | Integer | The identifier of the thread associated with the event, as returned by the operating system.
|
| Unique ID | uid | String | Entity:LINUX_PROCESS_OBJECT_UIDA unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. |
| Unmapped | unmapped | Unmapped[] | Data from the source that was not mapped into the schema. |
| User | user | User[] | Entity:USERThe user under which this process is running. |
| Working Directory | working_directory | String | The working directory of a process. |
| Extended Attributes | xattributes | JSON | An unordered collection of zero or more name/value pairs that represent a process extended attribute. |
Relationships
Inbound Relationships
These objects and events reference Linux Process in their attributes:
- Module Query
- Query Evidence
- Authentication
- Actor
- Windows Evidence Artifacts
- Linux Process
- Process Remediation Activity
- Security Finding
- Process Query
- Startup Item
- Network Connection Query
- Memory Activity
- Process Activity
Outbound Relationships
Linux Process references the following objects and events in its attributes:
This page describes qdm-1.5.1+ocsf-1.6.0