Process Entity

process_entity

The Process Entity object provides critical fields for referencing a process.

Attributes

CaptionNameTypeDescription
Command Linecmd_lineString

Entity:COMMAND_LINE
The full command line used to launch an application, service, process, or job. For example: ssh [email protected]. If the command line is unavailable or missing, the empty string '' is to be used.

Created Timecreated_timeTimestamp

The time when the process was created/started.

NamenameProcess Name

Entity:PROCESS_NAME
The friendly name of the process, for example: Notepad++.

PathpathString

The process file path.

Process IDpidInteger

Entity:PROCESS_ID
The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process.

Raw Dataraw_dataJSON

Group:context
The event data as received from the event source.

Record IDrecord_idString

Group:primary
Unique identifier for the object

Unique IDuidString

A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process.

UnmappedunmappedUnmapped[]

Data from the source that was not mapped into the schema.

Relationships

Process Entity shown in context

Inbound Relationships

These objects and events reference Process Entity in their attributes:

Outbound Relationships

Process Entity references the following objects and events in its attributes:

This page describes ocsf-1.4.0