Process Fields

  • Process is related to the execution of binaries
  • The process_ names can also be prefixed with target_… and parent_… e.g, parent_process_id, target_process_name, etc.
Process Fields
Field Name Example Values Field Type Notes
process_description WMI Commandline Utility keyword Description of executed process
process_command_line c:\tmp\runme.exe, /tmp/runme keyword/loweronly Full command line of executed process
process_command_line_length 29347 long Length of of process_command_line
process_id 2045,0x3e7 keyword/loweronly Process identifier associated with executed process
process_integrity_level medium, high, trusted keyword Integrity level of executed process
process_parent_command_line c:\tmp\runme.exe, /tmp/runme keyword/loweronly Full command line of parent process
process_parent_id 2045,0x3e7 keyword/loweronly Process identifier associated with parent process
process_parent_name whoami, whoami.exe keyword/loweronly File name of parent process, excluding path
process_parent_path C:\Windows\system32\whoami.exe, /usr/bin/whoami keyword/loweronly Full path of parent process
process_parent_uid {73123815-5caa-4e39-90dc-d25d4013bf15} keyword GUID or unique identifier for parent process that is not the process_id
process_name whoami, whoami.exe keyword/loweronly File name of executed process, excluding path
process_path C:\Windows\system32\whoami.exe, /usr/bin/whoami keyword/loweronly Full path of executed process
process_target_id 2045,0x3e7 keyword The process ID of the targeted process of some action that was taken against that process
process_target_name whoami, whoami.exe keyword The name of the targeted process of some action that was taken against that process
process_target_path C:\Windows\system32\whoami.exe, /usr/bin/whoami keyword The full path and name of the targeted process of some action that was taken against that process
process_target_uid {73123815-5caa-4e39-90dc-d25d4013bf15} keyword The process unuqie identifier of the targeted process of some action that was taken against that running process
process_uid {73123815-5caa-4e39-90dc-d25d4013bf15} keyword GUID or unique identifier for executed process that is not the process_id
process_working_directory C:\Windows\Temp keyword The current working directory that the process was called from