Process Fieldsedit

These fields contain information about a process.

These fields can help you correlate metrics information with a process id/name from a log message. The process.pid often stays in the metric itself and is copied to the global field for correlation.

Process Field Detailsedit

Field Description Level

process.args

Array of process arguments, starting with the absolute path to the executable.

May be filtered to protect sensitive information.

type: keyword

Note: this field should contain an array of values.

example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"]

extended

process.args_count

Length of the process.args array.

This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.

type: long

example: 4

extended

process.command_line

Full command line that started the process, including the absolute path to the executable, and all arguments.

Some arguments may be filtered to protect sensitive information.

type: wildcard

Multi-fields:

  • process.command_line.text (type: match_only_text)

example: /usr/bin/ssh -l user 10.0.0.16

extended

process.end

The time the process ended.

type: date

example: 2016-05-23T08:05:34.853Z

extended

process.entity_id

Unique identifier for the process.

The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.

Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.

type: keyword

example: c2c455d9f99375d

extended

process.entry_meta.type

[beta] This field is beta and subject to change.

The entry type for the entry session leader. Values include: init(e.g systemd), sshd, ssm, kubelet, teleport, terminal, console

Note: This field is only set on process.session_leader.

type: keyword

extended

process.env_vars

[beta] This field is beta and subject to change.

Array of environment variable bindings. Captured from a snapshot of the environment at the time of execution.

May be filtered to protect sensitive information.

type: keyword

Note: this field should contain an array of values.

example: ["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]

extended

process.executable

Absolute path to the process executable.

type: keyword

Multi-fields:

  • process.executable.text (type: match_only_text)

example: /usr/bin/ssh

extended

process.exit_code

The exit code of the process, if this is a termination event.

The field should be absent if there is no exit code for the event (e.g. process start).

type: long

example: 137

extended

process.interactive

[beta] This field is beta and subject to change.

Whether the process is connected to an interactive shell.

Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive.

Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.

type: boolean

example: True

extended

process.name

Process name.

Sometimes called program name or similar.

type: keyword

Multi-fields:

  • process.name.text (type: match_only_text)

example: ssh

extended

process.pgid

Deprecated for removal in next major version release. This field is superseded by process.group_leader.pid.

Identifier of the group of processes the process belongs to.

type: long

extended

process.pid

Process id.

type: long

example: 4242

core

process.same_as_process

[beta] This field is beta and subject to change.

This boolean is used to identify if a leader process is the same as the top level process.

For example, if process.group_leader.same_as_process = true, it means the process event in question is the leader of its process group. Details under process.* like pid would be the same under process.group_leader.* The same applies for both process.session_leader and process.entry_leader.

This field exists to the benefit of EQL and other rule engines since it’s not possible to compare equality between two fields in a single document. e.g process.entity_id = process.group_leader.entity_id (top level process is the process group leader) OR process.entity_id = process.entry_leader.entity_id (top level process is the entry session leader)

Instead these rules could be written like: process.group_leader.same_as_process: true OR process.entry_leader.same_as_process: true

Note: This field is only set on process.entry_leader, process.session_leader and process.group_leader.

type: boolean

example: True

extended

process.start

The time the process started.

type: date

example: 2016-05-23T08:05:34.853Z

extended

process.thread.id

Thread ID.

type: long

example: 4242

extended

process.thread.name

Thread name.

type: keyword

example: thread-0

extended

process.title

Process title.

The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.

type: keyword

Multi-fields:

  • process.title.text (type: match_only_text)

extended

process.tty

[beta] This field is beta and subject to change.

Information about the controlling TTY device. If set, the process belongs to an interactive session.

type: object

extended

process.tty.char_device.major

[beta] This field is beta and subject to change.

The major number identifies the driver associated with the device. The character device’s major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation.

type: long

example: 4

extended

process.tty.char_device.minor

[beta] This field is beta and subject to change.

The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them.

type: long

example: 1

extended

process.tty.columns

[beta] This field is beta and subject to change.

The number of character columns per line. e.g terminal width

Terminal sizes can change, so this value reflects the maximum value for a given IO event. i.e. where event.action = text_output

type: long

example: 80

extended

process.tty.rows

[beta] This field is beta and subject to change.

The number of character rows in the terminal. e.g terminal height

Terminal sizes can change, so this value reflects the maximum value for a given IO event. i.e. where event.action = text_output

type: long

example: 24

extended

process.uptime

Seconds the process has been up.

type: long

example: 1325

extended

process.working_directory

The working directory of the process.

type: keyword

Multi-fields:

  • process.working_directory.text (type: match_only_text)

example: /home/alice

extended

Field Reuseedit

The process fields are expected to be nested at:

  • process.entry_leader
  • process.entry_leader.parent
  • process.entry_leader.parent.session_leader
  • process.group_leader
  • process.parent
  • process.parent.group_leader
  • process.previous
  • process.session_leader
  • process.session_leader.parent
  • process.session_leader.parent.session_leader

Note also that the process fields may be used directly at the root of the events.

Field sets that can be nested under Processedit
Location Field Set Description

process.attested_groups.*

group

[beta] Reusing the group fields in this location is currently considered beta.

The externally attested groups based on an external source such as the Kube API.

Note: this reuse should contain an array of group field set objects.

process.attested_user.*

user

[beta] Reusing the user fields in this location is currently considered beta.

The externally attested user based on an external source such as the Kube API.

process.code_signature.*

code_signature

These fields contain information about binary code signatures.

process.elf.*

elf

[beta] This field reuse is beta and subject to change.

These fields contain Linux Executable Linkable Format (ELF) metadata.

process.entry_leader.*

process

[beta] Reusing the process fields in this location is currently considered beta.

First process from terminal or remote access via SSH, SSM, etc OR a service directly started by the init process.

process.entry_leader.parent.*

process

[beta] Reusing the process fields in this location is currently considered beta.

Information about the entry leader’s parent process. Only pid, start and entity_id fields are set.

process.entry_leader.parent.session_leader.*

process

[beta] Reusing the process fields in this location is currently considered beta.

Information about the parent session of the entry leader. Only pid, start and entity_id fields are set.

process.entry_meta.source.*

source

[beta] Reusing the source fields in this location is currently considered beta.

Remote client information such as ip, port and geo location.

process.group.*

group

[beta] Reusing the group fields in this location is currently considered beta.

The effective group (egid).

process.group_leader.*

process

[beta] Reusing the process fields in this location is currently considered beta.

Information about the process group leader. In some cases this may be the same as the top level process.

process.hash.*

hash

Hashes, usually file hashes.

process.parent.*

process

Information about the parent process.

process.parent.group_leader.*

process

[beta] Reusing the process fields in this location is currently considered beta.

Information about the parent’s process group leader. Only pid, start and entity_id fields are set.

process.pe.*

pe

These fields contain Windows Portable Executable (PE) metadata.

process.previous.*

process

[beta] Reusing the process fields in this location is currently considered beta.

An array of previous executions for the process, including the initial fork. Only executable and args are set.

Note: this reuse should contain an array of process field set objects.

process.real_group.*

group

[beta] Reusing the group fields in this location is currently considered beta.

The real group (rgid).

process.real_user.*

user

[beta] Reusing the user fields in this location is currently considered beta.

The real user (ruid). Identifies the real owner of the process.

process.saved_group.*

group

[beta] Reusing the group fields in this location is currently considered beta.

The saved group (sgid).

process.saved_user.*

user

[beta] Reusing the user fields in this location is currently considered beta.

The saved user (suid).

process.session_leader.*

process

[beta] Reusing the process fields in this location is currently considered beta.

Often the same as entry_leader. When it differs, it represents a session started within another session. e.g. using tmux

process.session_leader.parent.*

process

[beta] Reusing the process fields in this location is currently considered beta.

Information about the session leader’s parent process. Only pid, start and entity_id fields are set.

process.session_leader.parent.session_leader.*

process

[beta] Reusing the process fields in this location is currently considered beta.

Information about the parent session of the session leader. Only pid, start and entity_id fields are set.

process.supplemental_groups.*

group

[beta] Reusing the group fields in this location is currently considered beta.

An array of supplemental groups.

Note: this reuse should contain an array of group field set objects.

process.user.*

user

[beta] Reusing the user fields in this location is currently considered beta.

The effective user (euid).