Process Fields
editProcess Fields
editThese fields contain information about a process.
These fields can help you correlate metrics information with a process id/name from a log message. The process.pid
often stays in the metric itself and is copied to the global field for correlation.
Process Field Details
editField | Description | Level |
---|---|---|
process.args |
Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. type: keyword Note: this field should contain an array of values. example: |
extended |
process.args_count |
Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. type: long example: |
extended |
process.command_line |
Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. type: keyword Multi-fields: * process.command_line.text (type: text) example: |
extended |
process.entity_id |
Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. type: keyword example: |
extended |
process.executable |
Absolute path to the process executable. type: keyword Multi-fields: * process.executable.text (type: text) example: |
extended |
process.exit_code |
The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). type: long example: |
extended |
process.name |
Process name. Sometimes called program name or similar. type: keyword Multi-fields: * process.name.text (type: text) example: |
extended |
process.pgid |
Identifier of the group of processes the process belongs to. type: long |
extended |
process.pid |
Process id. type: long example: |
core |
process.ppid |
Parent process' pid. type: long example: |
extended |
process.start |
The time the process started. type: date example: |
extended |
process.thread.id |
Thread ID. type: long example: |
extended |
process.thread.name |
Thread name. type: keyword example: |
extended |
process.title |
Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. type: keyword Multi-fields: * process.title.text (type: text) |
extended |
process.uptime |
Seconds the process has been up. type: long example: |
extended |
process.working_directory |
The working directory of the process. type: keyword Multi-fields: * process.working_directory.text (type: text) example: |
extended |
Field Reuse
editThe process
fields are expected to be nested at: process.parent
.
Note also that the process
fields may be used directly at the root of the events.
Field sets that can be nested under Process
editNested fields | Description |
---|---|
These fields contain information about binary code signatures. |
|
Hashes, usually file hashes. |
|
These fields contain information about a process. |
|
These fields contain Windows Portable Executable (PE) metadata. |