Process¶
Details about a process
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| objectid | ObjectID | The object ID of the process object | Yes |
None |
| image | Text | The image of the process | Yes |
<unknown_image> |
| start_time | Date | The time of creation for the process | Yes |
None |
| pobjectid | ObjectID | The object ID of the parent process object | Optional |
None |
| pimage | Text | The image of the parent process that spawned this process | Optional |
None |
| pcommand_line | Text | The command line that the parent process ran | Optional |
None |
| ppid | Integer | The process ID of the parent process | Optional |
None |
| pid | Integer | The process ID | Optional |
None |
| command_line | Text | The command line that the process ran | Optional |
None |
| end_time | Date | The time of termination for the process | Optional |
None |
| integrity_level | Text | The integrity level of the process | Optional |
None |
| image_hash | Text | The hash of the file run | Optional |
None |
| original_file_name | Text | The original name of the file | Optional |
None |
ObjectID¶
Details about the characteristics used to identify an object
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| tag | Text | The normalized tag of the object | Yes |
None |
| ontology_id | Keyword | Deterministic identifier of ontology. This value should be able to be replicable between services that have access to similar object details, such that it can be used for relating objects in post-processing. | Yes |
None |
| service_name | Keyword | Component that generated this section | Yes |
unknown |
| guid | Text | The GUID associated with the object | Optional |
None |
| treeid | Text | The hash of the tree ID | Optional |
None |
| processtree | Keyword | Human-readable tree ID (concatenation of tags) | Optional |
None |
| time_observed | Date | The time at which the object was observed | Optional |
None |
| session | Keyword | Unifying session name/ID | Optional |
None |