Process Fields

edit

These fields contain information about a process.

These fields can help you correlate metrics information with a process id/name from a log message. The process.pid often stays in the metric itself and is copied to the global field for correlation.

Process Field Details

edit
Field Description Level

process.args

Array of process arguments, starting with the absolute path to the executable.

May be filtered to protect sensitive information.

type: keyword

Note: this field should contain an array of values.

example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"]

extended

process.args_count

Length of the process.args array.

This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.

type: long

example: 4

extended

process.command_line

Full command line that started the process, including the absolute path to the executable, and all arguments.

Some arguments may be filtered to protect sensitive information.

type: wildcard

Multi-fields:

* process.command_line.text (type: match_only_text)

example: /usr/bin/ssh -l user 10.0.0.16

extended

process.end

The time the process ended.

type: date

example: 2016-05-23T08:05:34.853Z

extended

process.entity_id

Unique identifier for the process.

The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.

Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.

type: keyword

example: c2c455d9f99375d

extended

process.executable

Absolute path to the process executable.

type: keyword

Multi-fields:

* process.executable.text (type: match_only_text)

example: /usr/bin/ssh

extended

process.exit_code

The exit code of the process, if this is a termination event.

The field should be absent if there is no exit code for the event (e.g. process start).

type: long

example: 137

extended

process.name

Process name.

Sometimes called program name or similar.

type: keyword

Multi-fields:

* process.name.text (type: match_only_text)

example: ssh

extended

process.pgid

Identifier of the group of processes the process belongs to.

type: long

extended

process.pid

Process id.

type: long

example: 4242

core

process.start

The time the process started.

type: date

example: 2016-05-23T08:05:34.853Z

extended

process.thread.id

Thread ID.

type: long

example: 4242

extended

process.thread.name

Thread name.

type: keyword

example: thread-0

extended

process.title

Process title.

The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.

type: keyword

Multi-fields:

* process.title.text (type: match_only_text)

extended

process.uptime

Seconds the process has been up.

type: long

example: 1325

extended

process.working_directory

The working directory of the process.

type: keyword

Multi-fields:

* process.working_directory.text (type: match_only_text)

example: /home/alice

extended

Field Reuse

edit

The process fields are expected to be nested at:

  • process.parent

Note also that the process fields may be used directly at the root of the events.

Field sets that can be nested under Process
edit
Location Field Set Description

process.code_signature.*

code_signature

These fields contain information about binary code signatures.

process.elf.*

elf

[beta] This field reuse is beta and subject to change.

These fields contain Linux Executable Linkable Format (ELF) metadata.

process.hash.*

hash

Hashes, usually file hashes.

process.parent.*

process

Information about the parent process.

process.pe.*

pe

These fields contain Windows Portable Executable (PE) metadata.