Process Fields
editProcess Fields
editThese fields contain information about a process.
These fields can help you correlate metrics information with a process id/name from a log message. The process.pid
often stays in the metric itself and is copied to the global field for correlation.
Process Field Details
editField | Description | Level |
---|---|---|
Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. type: keyword Note: this field should contain an array of values. example: |
extended |
|
Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. type: long example: |
extended |
|
Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. type: wildcard Multi-fields: * process.command_line.text (type: match_only_text) example: |
extended |
|
The time the process ended. type: date example: |
extended |
|
Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. type: keyword example: |
extended |
|
Absolute path to the process executable. type: keyword Multi-fields: * process.executable.text (type: match_only_text) example: |
extended |
|
The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). type: long example: |
extended |
|
Process name. Sometimes called program name or similar. type: keyword Multi-fields: * process.name.text (type: match_only_text) example: |
extended |
|
Identifier of the group of processes the process belongs to. type: long |
extended |
|
Process id. type: long example: |
core |
|
The time the process started. type: date example: |
extended |
|
Thread ID. type: long example: |
extended |
|
Thread name. type: keyword example: |
extended |
|
Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. type: keyword Multi-fields: * process.title.text (type: match_only_text) |
extended |
|
Seconds the process has been up. type: long example: |
extended |
|
The working directory of the process. type: keyword Multi-fields: * process.working_directory.text (type: match_only_text) example: |
extended |
Field Reuse
editThe process
fields are expected to be nested at:
-
process.parent
Note also that the process
fields may be used directly at the root of the events.
Field sets that can be nested under Process
editLocation | Field Set | Description |
---|---|---|
|
These fields contain information about binary code signatures. |
|
|
[beta] This field reuse is beta and subject to change. These fields contain Linux Executable Linkable Format (ELF) metadata. |
|
|
Hashes, usually file hashes. |
|
|
Information about the parent process. |
|
|
These fields contain Windows Portable Executable (PE) metadata. |