GIM Category: process
The Process category covers events related to the lifecycle and behavior of processes on a system. This includes process creation and termination, inter-process interactions such as access or remote thread injection, and modifications to running processes. These events are commonly generated by operating system auditing features and endpoint detection and response (EDR) tools, and they are critical for detecting malicious activity such as unauthorized execution, privilege escalation, or code injection.
execute
Execute events represent the creation of a new process on a system. They typically capture the process name, the user context under which the process was launched, and the parent process that initiated the execution. These events are fundamental for tracking program execution, detecting suspicious launches, and establishing parent-child process relationships during investigations.
Required Fields
process_nameuser_name
Recommended Fields
process_parent_name
Optional Fields
process_command_line
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
190000 |
process |
process.execute |
process started |
An attempt to start a process has made on a system |
end
End events represent the termination of a running process on a system. These events may result from normal activity (such as an application closing) or from administrative or security actions (such as task termination or killing a malicious process). They are important for correlating process execution lifecycles and identifying suspicious or unexpected terminations.
Required Fields
process_nameuser_name
Recommended Fields
process_parent_name
Optional Fields
process_command_line
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
190100 |
process |
process.end |
process stopped |
An attempt to terminate a running process has been made |
interaction
Interaction events represent one process attempting to access or manipulate another process. This may include actions such as opening a handle, reading or writing memory, or injecting a thread. These events are high-value indicators of potentially malicious behavior, as they are often associated with techniques like credential dumping, code injection, or process hollowing.
Required Fields
process_nameuser_name
Recommended Fields
process_parent_name
Optional Fields
process_command_line
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
190500 |
process |
process.interaction |
process accessed |
A process attempted to access another running process (for example, opening a handle to inspect or manipulate it). |
|
|
190501 |
process |
process.interaction |
remote thread created |
A process attempted to create a thread in the address space of another process. |
action
Action events represent modifications to an already-running process. This can include loading additional modules (such as DLLs) or altering the process state through techniques like code injection. These events are important for detecting tampering, persistence mechanisms, or malicious manipulation of legitimate processes.
Required Fields
process_nameuser_name
Recommended Fields
process_parent_name
Optional Fields
process_command_line
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
191000 |
process |
process.action |
process altered |
A running process was modified in some way (for example, through code injection or tampering). |
|
|
191001 |
process |
process.action |
image loaded |
A module (such as a DLL) was loaded into a running process. |
default
The default subcategory is used for process-related events that do not match a more specific subcategory, such as execution, termination, interaction, or modification. It ensures that all process events can be captured, even if they cannot be consistently classified.
Required Fields
process_nameuser_name
Recommended Fields
process_parent_name
Optional Fields
process_command_line
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
199990 |
process |
process.default |
process message |
A generic process-related event that does not map to a more specific subcategory or event type. |
