Process Fields
Overview
The process fields describe properties of running or executed processes as observed in operating system or application telemetry. They represent identifiers, executable names, command-line details, file paths, integrity attributes, and related parent or target process information. These fields provide a normalized view of process creation, interaction, and lifecycle activity across different platforms.
Design and Usage
The process entity models the conceptual characteristics of a process independently of the operating system’s internal implementation details. It captures observable attributes such as IDs, command-line arguments, execution paths, and hierarchical relationships between processes. This structure supports consistent interpretation of process activity, allowing correlation with user actions, security events, or system operations. Subfields referencing parent or target processes enable representation of process lineage and interactions.
Common Use Cases
- Tracing process lineage to support investigations involving suspicious activity or unauthorized execution.
- Identifying executed commands and process invocation parameters.
- Correlating process events with authentication, privilege escalation, or policy evaluation.
- Analyzing targeted process interactions such as injection, signaling, or termination attempts.
Implementation Notes
As a top-level entity, process represents a single executed or running process and may be linked to related entities through parent or target identifiers. Process identifiers and unique IDs may vary across platforms; therefore, modeling should emphasize stable identifiers when available. Fields capturing command line, path, and working directory help maintain relational integrity and clarify execution context. If vendor-specific identifiers or naming conventions are present, both standardized and source-specific forms may be included to preserve semantic accuracy.
| field | field_type | description | example_values |
|---|---|---|---|
|
process_description |
keyword |
Human-readable description of the executed process. |
WMI Commandline Utility |
|
process_command_line |
keyword/lowercase |
Full command line used to invoke the process. |
c:\tmp\runme.exe, /tmp/runme |
|
process_command_line_length |
long |
Character length of the process command line. |
29347 |
|
process_id |
keyword/lowercase |
Numeric process identifier assigned to the executed process. |
2045,0x3e7 |
|
process_integrity_level |
keyword |
Security integrity level associated with the executed process. |
medium, high, trusted |
|
process_parent_command_line |
keyword/lowercase |
Full command line used to invoke the parent process. |
c:\tmp\runme.exe, /tmp/runme |
|
process_parent_id |
keyword/lowercase |
Numeric process identifier assigned to the parent process. |
2045,0x3e7 |
|
process_parent_name |
keyword/lowercase |
File name of the parent process, excluding the directory path. |
whoami, whoami.exe |
|
process_parent_path |
keyword/lowercase |
Full file system path of the parent process executable. |
C:\Windows\system32\whoami.exe, /usr/bin/whoami |
|
process_parent_uid |
keyword |
Unique identifier for the parent process that is distinct from its numeric process identifier. |
{73123815-5caa-4e39-90dc-d25d4013bf15} |
|
process_name |
keyword/lowercase |
File name of the executed process, excluding the directory path. |
whoami, whoami.exe |
|
process_path |
keyword/lowercase |
Full file system path of the executed process executable. |
C:\Windows\system32\whoami.exe, /usr/bin/whoami |
|
process_target_id |
keyword |
Numeric process identifier of the process targeted by an observed action. |
2045,0x3e7 |
|
process_target_name |
keyword |
File name of the process targeted by an observed action. |
whoami, whoami.exe |
|
process_target_path |
keyword |
Full file system path of the process targeted by an observed action. |
C:\Windows\system32\whoami.exe, /usr/bin/whoami |
|
process_target_uid |
keyword |
Unique identifier for the process targeted by an observed action. |
{73123815-5caa-4e39-90dc-d25d4013bf15} |
|
process_uid |
keyword |
Unique identifier for the executed process that is distinct from its numeric process identifier. |
{73123815-5caa-4e39-90dc-d25d4013bf15} |
|
process_working_directory |
keyword |
Current working directory of the executed process. |
C:\Windows\Temp |
