-
Process is related to the execution of binaries
-
The
process_ namescan also be prefixed withtarget_… andparent_…, e.g.parent_process_id,target_process_name, etc.
| Field Name | Example Values | Field Type | Notes |
|---|---|---|---|
process_description
|
WMI Commandline Utility | keyword | Description of executed process |
process_command_line
|
c:\\tmp\\runme.exe, /tmp/runme | keyword/loweronly | Full command line of executed process |
process_command_line_length
|
29347 | long | Length of process_command_line |
process_id
|
2045,0x3e7 | keyword/loweronly | Process identifier associated with executed process |
process_integrity_level
|
medium, high, trusted | keyword | Integrity level of executed process |
process_parent_command_line
|
c:\\tmp\\runme.exe, /tmp/runme | keyword/loweronly | Full command line of parent process |
process_parent_id
|
2045,0x3e7 | keyword/loweronly | Process identifier associated with parent process |
process_parent_name
|
whoami, whoami.exe | keyword/loweronly | File name of parent process, excluding path |
process_parent_path
|
C:\\Windows\\system32\\whoami.exe, /usr/bin/whoami | keyword/loweronly | Full path of parent process |
process_parent_uid
|
{73123815-5caa-4e39-90dc-d25d4013bf15} | keyword | GUID or unique identifier for parent process that is not the process_id |
process_name
|
whoami, whoami.exe | keyword/loweronly | File name of executed process, excluding path |
process_path
|
C:\\Windows\\system32\\whoami.exe, /usr/bin/whoami | keyword/loweronly | Full path of executed process |
process_target_id
|
2045,0x3e7 | keyword | The process ID of the targeted process of some action that was taken against that process |
process_target_name
|
whoami, whoami.exe | keyword | The name of the targeted process of some action that was taken against that process |
process_target_path
|
C:\\Windows\\system32\\whoami.exe, /usr/bin/whoami | keyword | The full path and name of the targeted process of some action that was taken against that process |
process_target_uid
|
{73123815-5caa-4e39-90dc-d25d4013bf15} | keyword | The process unique identifier of the targeted process of some action that was taken against that running process |
process_uid
|
{73123815-5caa-4e39-90dc-d25d4013bf15} | keyword | GUID or unique identifier for executed process that is not the process_id |
process_working_directory
|
C:\\Windows\\Temp | keyword | The current working directory that the process was called from |
