IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

› ›

Process Fields

edit

Process Fields

edit

These fields contain information about a process.

These fields can help you correlate metrics information with a process id/name from a log message. The process.pid often stays in the metric itself and is copied to the global field for correlation.

Process Field Details

edit

Field	Description	Level
process.args	Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. type: keyword Note: this field should contain an array of values. example: `['/usr/bin/ssh', '-l', 'user', '10.0.0.16']`	extended
process.args_count	Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. type: long example: `4`	extended
process.command_line	Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. type: keyword Multi-fields: * process.command_line.text (type: text) example: `/usr/bin/ssh -l user 10.0.0.16`	extended
process.entity_id	Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. type: keyword example: `c2c455d9f99375d`	extended
process.executable	Absolute path to the process executable. type: keyword Multi-fields: * process.executable.text (type: text) example: `/usr/bin/ssh`	extended
process.exit_code	The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). type: long example: `137`	extended
process.name	Process name. Sometimes called program name or similar. type: keyword Multi-fields: * process.name.text (type: text) example: `ssh`	extended
process.pgid	Identifier of the group of processes the process belongs to. type: long	extended
process.pid	Process id. type: long example: `4242`	core
process.ppid	Parent process' pid. type: long example: `4241`	extended
process.start	The time the process started. type: date example: `2016-05-23T08:05:34.853Z`	extended
process.thread.id	Thread ID. type: long example: `4242`	extended
process.thread.name	Thread name. type: keyword example: `thread-0`	extended
process.title	Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. type: keyword Multi-fields: * process.title.text (type: text)	extended
process.uptime	Seconds the process has been up. type: long example: `1325`	extended
process.working_directory	The working directory of the process. type: keyword Multi-fields: * process.working_directory.text (type: text) example: `/home/alice`	extended

Field Reuse

edit

The process fields are expected to be nested at: process.parent.

Note also that the process fields may be used directly at the root of the events.

Field sets that can be nested under Process

edit

Nested fields	Description
process.code_signature.*	These fields contain information about binary code signatures.
process.hash.*	Hashes, usually file hashes.
process.parent.*	These fields contain information about a process.
process.pe.*	These fields contain Windows Portable Executable (PE) metadata.

« PE Header Fields Registry Fields »