Skip to content

Process

Details about a process

Field Type Description Required Default
objectid ObjectID The object ID of the process object
Yes
None
image Text The image of the process
Yes
<unknown_image>
start_time Date The time of creation for the process
Yes
None
pobjectid ObjectID The object ID of the parent process object
Optional
None
pimage Text The image of the parent process that spawned this process
Optional
None
pcommand_line Text The command line that the parent process ran
Optional
None
ppid Integer The process ID of the parent process
Optional
None
pid Integer The process ID
Optional
None
command_line Text The command line that the process ran
Optional
None
end_time Date The time of termination for the process
Optional
None
integrity_level Text The integrity level of the process
Optional
None
image_hash Text The hash of the file run
Optional
None
original_file_name Text The original name of the file
Optional
None

ObjectID

Details about the characteristics used to identify an object

Field Type Description Required Default
tag Text The normalized tag of the object
Yes
None
ontology_id Keyword Deterministic identifier of ontology. This value should be able to be replicable between services that have access to similar object details, such that it can be used for relating objects in post-processing.
Yes
None
service_name Keyword Component that generated this section
Yes
unknown
guid Text The GUID associated with the object
Optional
None
treeid Text The hash of the tree ID
Optional
None
processtree Keyword Human-readable tree ID (concatenation of tags)
Optional
None
time_observed Date The time at which the object was observed
Optional
None
session Keyword Unifying session name/ID
Optional
None