Process
These fields contain information about a process.
Fields
Field Summary
| Field | Type | Level | Description |
|---|---|---|---|
process.args | keyword | Extended | Array of process arguments. |
process.args_count | long | Extended | Length of the process.args array. |
process.code_signature.digest_algorithm | keyword | Extended | Hashing algorithm used to sign the process. |
process.code_signature.exists | boolean | Core | Boolean to capture if a signature is present. |
process.code_signature.signing_id | keyword | Extended | The identifier used to sign the process. |
process.code_signature.status | keyword | Extended | Additional information about the certificate status. |
process.code_signature.subject_name | keyword | Core | Subject name of the code signer |
process.code_signature.team_id | keyword | Extended | The team identifier used to sign the process. |
process.code_signature.timestamp | date | Extended | When the signature was generated and signed. |
process.code_signature.trusted | boolean | Extended | Stores the trust status of the certificate chain. |
process.code_signature.valid | boolean | Extended | Boolean to capture if the digital signature is verified against the binary content. |
process.command_line | wildcard | Extended | Full command line that started the process. |
process.command_line.text | match_only_text | Extended | Full command line that started the process. |
process.elf.architecture | keyword | Extended | Machine architecture of the ELF file. |
process.elf.byte_order | keyword | Extended | Byte sequence of ELF file. |
process.elf.cpu_type | keyword | Extended | CPU type of the ELF file. |
process.elf.creation_date | date | Extended | Build or compile date. |
process.elf.exports | flattened | Extended | List of exported element names and types. |
process.elf.header.abi_version | keyword | Extended | Version of the ELF Application Binary Interface (ABI). |
process.elf.header.class | keyword | Extended | Header class of the ELF file. |
process.elf.header.data | keyword | Extended | Data table of the ELF header. |
process.elf.header.entrypoint | long | Extended | Header entrypoint of the ELF file. |
process.elf.header.object_version | keyword | Extended | "0x1" for original ELF files. |
process.elf.header.os_abi | keyword | Extended | Application Binary Interface (ABI) of the Linux OS. |
process.elf.header.type | keyword | Extended | Header type of the ELF file. |
process.elf.header.version | keyword | Extended | Version of the ELF header. |
process.elf.imports | flattened | Extended | List of imported element names and types. |
process.elf.sections | nested | Extended | Section information of the ELF file. |
process.elf.sections.chi2 | long | Extended | Chi-square probability distribution of the section. |
process.elf.sections.entropy | long | Extended | Shannon entropy calculation from the section. |
process.elf.sections.flags | keyword | Extended | ELF Section List flags. |
process.elf.sections.name | keyword | Extended | ELF Section List name. |
process.elf.sections.physical_offset | keyword | Extended | ELF Section List offset. |
process.elf.sections.physical_size | long | Extended | ELF Section List physical size. |
process.elf.sections.type | keyword | Extended | ELF Section List type. |
process.elf.sections.virtual_address | long | Extended | ELF Section List virtual address. |
process.elf.sections.virtual_size | long | Extended | ELF Section List virtual size. |
process.elf.segments | nested | Extended | ELF object segment list. |
process.elf.segments.sections | keyword | Extended | ELF object segment sections. |
process.elf.segments.type | keyword | Extended | ELF object segment type. |
process.elf.shared_libraries | keyword | Extended | List of shared libraries used by this ELF object. |
process.elf.telfhash | keyword | Extended | telfhash hash for ELF file. |
process.end | date | Extended | The time the process ended. |
process.entity_id | keyword | Extended | Unique identifier for the process. |
process.executable | keyword | Extended | Absolute path to the process executable. |
process.executable.text | match_only_text | Extended | Absolute path to the process executable. |
process.exit_code | long | Extended | The exit code of the process. |
process.hash.md5 | keyword | Extended | MD5 hash. |
process.hash.sha1 | keyword | Extended | SHA1 hash. |
process.hash.sha256 | keyword | Extended | SHA256 hash. |
process.hash.sha512 | keyword | Extended | SHA512 hash. |
process.hash.ssdeep | keyword | Extended | SSDEEP hash. |
process.name | keyword | Extended | Process name. |
process.name.text | match_only_text | Extended | Process name. |
process.parent.args | keyword | Extended | Array of process arguments. |
process.parent.args_count | long | Extended | Length of the process.args array. |
process.parent.code_signature.digest_algorithm | keyword | Extended | Hashing algorithm used to sign the process. |
process.parent.code_signature.exists | boolean | Core | Boolean to capture if a signature is present. |
process.parent.code_signature.signing_id | keyword | Extended | The identifier used to sign the process. |
process.parent.code_signature.status | keyword | Extended | Additional information about the certificate status. |
process.parent.code_signature.subject_name | keyword | Core | Subject name of the code signer |
process.parent.code_signature.team_id | keyword | Extended | The team identifier used to sign the process. |
process.parent.code_signature.timestamp | date | Extended | When the signature was generated and signed. |
process.parent.code_signature.trusted | boolean | Extended | Stores the trust status of the certificate chain. |
process.parent.code_signature.valid | boolean | Extended | Boolean to capture if the digital signature is verified against the binary content. |
process.parent.command_line | wildcard | Extended | Full command line that started the process. |
process.parent.command_line.text | match_only_text | Extended | Full command line that started the process. |
process.parent.elf.architecture | keyword | Extended | Machine architecture of the ELF file. |
process.parent.elf.byte_order | keyword | Extended | Byte sequence of ELF file. |
process.parent.elf.cpu_type | keyword | Extended | CPU type of the ELF file. |
process.parent.elf.creation_date | date | Extended | Build or compile date. |
process.parent.elf.exports | flattened | Extended | List of exported element names and types. |
process.parent.elf.header.abi_version | keyword | Extended | Version of the ELF Application Binary Interface (ABI). |
process.parent.elf.header.class | keyword | Extended | Header class of the ELF file. |
process.parent.elf.header.data | keyword | Extended | Data table of the ELF header. |
process.parent.elf.header.entrypoint | long | Extended | Header entrypoint of the ELF file. |
process.parent.elf.header.object_version | keyword | Extended | "0x1" for original ELF files. |
process.parent.elf.header.os_abi | keyword | Extended | Application Binary Interface (ABI) of the Linux OS. |
process.parent.elf.header.type | keyword | Extended | Header type of the ELF file. |
process.parent.elf.header.version | keyword | Extended | Version of the ELF header. |
process.parent.elf.imports | flattened | Extended | List of imported element names and types. |
process.parent.elf.sections | nested | Extended | Section information of the ELF file. |
process.parent.elf.sections.chi2 | long | Extended | Chi-square probability distribution of the section. |
process.parent.elf.sections.entropy | long | Extended | Shannon entropy calculation from the section. |
process.parent.elf.sections.flags | keyword | Extended | ELF Section List flags. |
process.parent.elf.sections.name | keyword | Extended | ELF Section List name. |
process.parent.elf.sections.physical_offset | keyword | Extended | ELF Section List offset. |
process.parent.elf.sections.physical_size | long | Extended | ELF Section List physical size. |
process.parent.elf.sections.type | keyword | Extended | ELF Section List type. |
process.parent.elf.sections.virtual_address | long | Extended | ELF Section List virtual address. |
process.parent.elf.sections.virtual_size | long | Extended | ELF Section List virtual size. |
process.parent.elf.segments | nested | Extended | ELF object segment list. |
process.parent.elf.segments.sections | keyword | Extended | ELF object segment sections. |
process.parent.elf.segments.type | keyword | Extended | ELF object segment type. |
process.parent.elf.shared_libraries | keyword | Extended | List of shared libraries used by this ELF object. |
process.parent.elf.telfhash | keyword | Extended | telfhash hash for ELF file. |
process.parent.end | date | Extended | The time the process ended. |
process.parent.entity_id | keyword | Extended | Unique identifier for the process. |
process.parent.executable | keyword | Extended | Absolute path to the process executable. |
process.parent.executable.text | match_only_text | Extended | Absolute path to the process executable. |
process.parent.exit_code | long | Extended | The exit code of the process. |
process.parent.hash.md5 | keyword | Extended | MD5 hash. |
process.parent.hash.sha1 | keyword | Extended | SHA1 hash. |
process.parent.hash.sha256 | keyword | Extended | SHA256 hash. |
process.parent.hash.sha512 | keyword | Extended | SHA512 hash. |
process.parent.hash.ssdeep | keyword | Extended | SSDEEP hash. |
process.parent.name | keyword | Extended | Process name. |
process.parent.name.text | match_only_text | Extended | Process name. |
process.parent.pe.architecture | keyword | Extended | CPU architecture target for the file. |
process.parent.pe.company | keyword | Extended | Internal company name of the file, provided at compile-time. |
process.parent.pe.description | keyword | Extended | Internal description of the file, provided at compile-time. |
process.parent.pe.file_version | keyword | Extended | Process name. |
process.parent.pe.imphash | keyword | Extended | A hash of the imports in a PE file. |
process.parent.pe.original_file_name | keyword | Extended | Internal name of the file, provided at compile-time. |
process.parent.pe.product | keyword | Extended | Internal product name of the file, provided at compile-time. |
process.parent.pgid | long | Extended | Identifier of the group of processes the process belongs to. |
process.parent.pid | long | Core | Process id. |
process.parent.ppid | long | Extended | Parent process' pid. |
process.parent.start | date | Extended | The time the process started. |
process.parent.thread.id | long | Extended | Thread ID. |
process.parent.thread.name | keyword | Extended | Thread name. |
process.parent.title | keyword | Extended | Process title. |
process.parent.title.text | match_only_text | Extended | Process title. |
process.parent.uptime | long | Extended | Seconds the process has been up. |
process.parent.working_directory | keyword | Extended | The working directory of the process. |
process.parent.working_directory.text | match_only_text | Extended | The working directory of the process. |
process.pe.architecture | keyword | Extended | CPU architecture target for the file. |
process.pe.company | keyword | Extended | Internal company name of the file, provided at compile-time. |
process.pe.description | keyword | Extended | Internal description of the file, provided at compile-time. |
process.pe.file_version | keyword | Extended | Process name. |
process.pe.imphash | keyword | Extended | A hash of the imports in a PE file. |
process.pe.original_file_name | keyword | Extended | Internal name of the file, provided at compile-time. |
process.pe.product | keyword | Extended | Internal product name of the file, provided at compile-time. |
process.pgid | long | Extended | Identifier of the group of processes the process belongs to. |
process.pid | long | Core | Process id. |
process.ppid | long | Extended | Parent process' pid. |
process.start | date | Extended | The time the process started. |
process.thread.id | long | Extended | Thread ID. |
process.thread.name | keyword | Extended | Thread name. |
process.title | keyword | Extended | Process title. |
process.title.text | match_only_text | Extended | Process title. |
process.uptime | long | Extended | Seconds the process has been up. |
process.working_directory | keyword | Extended | The working directory of the process. |
process.working_directory.text | match_only_text | Extended | The working directory of the process. |
Field Details
process.args
Type: keyword
Level: Extended
Description: Array of process arguments.
Example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"]
Normalization: array
Indexed: true
process.args_count
Type: long
Level: Extended
Description: Length of the process.args array.
Example: 4
Indexed: true
process.code_signature.digest_algorithm
Type: keyword
Level: Extended
Description: Hashing algorithm used to sign the process.
Example: sha256
Indexed: true
process.code_signature.exists
Type: boolean
Level: Core
Description: Boolean to capture if a signature is present.
Example: true
Indexed: true
process.code_signature.signing_id
Type: keyword
Level: Extended
Description: The identifier used to sign the process.
Example: com.apple.xpc.proxy
Indexed: true
process.code_signature.status
Type: keyword
Level: Extended
Description: Additional information about the certificate status.
Example: ERROR_UNTRUSTED_ROOT
Indexed: true
process.code_signature.subject_name
Type: keyword
Level: Core
Description: Subject name of the code signer
Example: Microsoft Corporation
Indexed: true
process.code_signature.team_id
Type: keyword
Level: Extended
Description: The team identifier used to sign the process.
Example: EQHXZ8M8AV
Indexed: true
process.code_signature.timestamp
Type: date
Level: Extended
Description: When the signature was generated and signed.
Example: 2021-01-01T12:10:30Z
Indexed: true
process.code_signature.trusted
Type: boolean
Level: Extended
Description: Stores the trust status of the certificate chain.
Example: true
Indexed: true
process.code_signature.valid
Type: boolean
Level: Extended
Description: Boolean to capture if the digital signature is verified against the binary content.
Example: true
Indexed: true
process.command_line
Type: wildcard
Level: Extended
Description: Full command line that started the process.
Example: /usr/bin/ssh -l user 10.0.0.16
Indexed: true
process.command_line.text
Type: match_only_text
Level: Extended
Description: Full command line that started the process.
Example: /usr/bin/ssh -l user 10.0.0.16
Indexed: true
process.elf.architecture
Type: keyword
Level: Extended
Description: Machine architecture of the ELF file.
Example: x86-64
Indexed: true
process.elf.byte_order
Type: keyword
Level: Extended
Description: Byte sequence of ELF file.
Example: Little Endian
Indexed: true
process.elf.cpu_type
Type: keyword
Level: Extended
Description: CPU type of the ELF file.
Example: Intel
Indexed: true
process.elf.creation_date
Type: date
Level: Extended
Description: Build or compile date.
Indexed: true
process.elf.exports
Type: flattened
Level: Extended
Description: List of exported element names and types.
Normalization: array
Indexed: true
process.elf.header.abi_version
Type: keyword
Level: Extended
Description: Version of the ELF Application Binary Interface (ABI).
Indexed: true
process.elf.header.class
Type: keyword
Level: Extended
Description: Header class of the ELF file.
Indexed: true
process.elf.header.data
Type: keyword
Level: Extended
Description: Data table of the ELF header.
Indexed: true
process.elf.header.entrypoint
Type: long
Level: Extended
Description: Header entrypoint of the ELF file.
Indexed: true
process.elf.header.object_version
Type: keyword
Level: Extended
Description: "0x1" for original ELF files.
Indexed: true
process.elf.header.os_abi
Type: keyword
Level: Extended
Description: Application Binary Interface (ABI) of the Linux OS.
Indexed: true
process.elf.header.type
Type: keyword
Level: Extended
Description: Header type of the ELF file.
Indexed: true
process.elf.header.version
Type: keyword
Level: Extended
Description: Version of the ELF header.
Indexed: true
process.elf.imports
Type: flattened
Level: Extended
Description: List of imported element names and types.
Normalization: array
Indexed: true
process.elf.sections
Type: nested
Level: Extended
Description: Section information of the ELF file.
Normalization: array
Indexed: true
process.elf.sections.chi2
Type: long
Level: Extended
Description: Chi-square probability distribution of the section.
Indexed: true
process.elf.sections.entropy
Type: long
Level: Extended
Description: Shannon entropy calculation from the section.
Indexed: true
process.elf.sections.flags
Type: keyword
Level: Extended
Description: ELF Section List flags.
Indexed: true
process.elf.sections.name
Type: keyword
Level: Extended
Description: ELF Section List name.
Indexed: true
process.elf.sections.physical_offset
Type: keyword
Level: Extended
Description: ELF Section List offset.
Indexed: true
process.elf.sections.physical_size
Type: long
Level: Extended
Description: ELF Section List physical size.
Indexed: true
process.elf.sections.type
Type: keyword
Level: Extended
Description: ELF Section List type.
Indexed: true
process.elf.sections.virtual_address
Type: long
Level: Extended
Description: ELF Section List virtual address.
Indexed: true
process.elf.sections.virtual_size
Type: long
Level: Extended
Description: ELF Section List virtual size.
Indexed: true
process.elf.segments
Type: nested
Level: Extended
Description: ELF object segment list.
Normalization: array
Indexed: true
process.elf.segments.sections
Type: keyword
Level: Extended
Description: ELF object segment sections.
Indexed: true
process.elf.segments.type
Type: keyword
Level: Extended
Description: ELF object segment type.
Indexed: true
process.elf.shared_libraries
Type: keyword
Level: Extended
Description: List of shared libraries used by this ELF object.
Normalization: array
Indexed: true
process.elf.telfhash
Type: keyword
Level: Extended
Description: telfhash hash for ELF file.
Indexed: true
process.end
Type: date
Level: Extended
Description: The time the process ended.
Example: 2016-05-23T08:05:34.853Z
Indexed: true
process.entity_id
Type: keyword
Level: Extended
Description: Unique identifier for the process.
Example: c2c455d9f99375d
Indexed: true
process.executable
Type: keyword
Level: Extended
Description: Absolute path to the process executable.
Example: /usr/bin/ssh
Indexed: true
process.executable.text
Type: match_only_text
Level: Extended
Description: Absolute path to the process executable.
Example: /usr/bin/ssh
Indexed: true
process.exit_code
Type: long
Level: Extended
Description: The exit code of the process.
Example: 137
Indexed: true
process.hash.md5
Type: keyword
Level: Extended
Description: MD5 hash.
Indexed: true
process.hash.sha1
Type: keyword
Level: Extended
Description: SHA1 hash.
Indexed: true
process.hash.sha256
Type: keyword
Level: Extended
Description: SHA256 hash.
Indexed: true
process.hash.sha512
Type: keyword
Level: Extended
Description: SHA512 hash.
Indexed: true
process.hash.ssdeep
Type: keyword
Level: Extended
Description: SSDEEP hash.
Indexed: true
process.name
Type: keyword
Level: Extended
Description: Process name.
Example: ssh
Indexed: true
process.name.text
Type: match_only_text
Level: Extended
Description: Process name.
Example: ssh
Indexed: true
process.parent.args
Type: keyword
Level: Extended
Description: Array of process arguments.
Example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"]
Normalization: array
Indexed: true
process.parent.args_count
Type: long
Level: Extended
Description: Length of the process.args array.
Example: 4
Indexed: true
process.parent.code_signature.digest_algorithm
Type: keyword
Level: Extended
Description: Hashing algorithm used to sign the process.
Example: sha256
Indexed: true
process.parent.code_signature.exists
Type: boolean
Level: Core
Description: Boolean to capture if a signature is present.
Example: true
Indexed: true
process.parent.code_signature.signing_id
Type: keyword
Level: Extended
Description: The identifier used to sign the process.
Example: com.apple.xpc.proxy
Indexed: true
process.parent.code_signature.status
Type: keyword
Level: Extended
Description: Additional information about the certificate status.
Example: ERROR_UNTRUSTED_ROOT
Indexed: true
process.parent.code_signature.subject_name
Type: keyword
Level: Core
Description: Subject name of the code signer
Example: Microsoft Corporation
Indexed: true
process.parent.code_signature.team_id
Type: keyword
Level: Extended
Description: The team identifier used to sign the process.
Example: EQHXZ8M8AV
Indexed: true
process.parent.code_signature.timestamp
Type: date
Level: Extended
Description: When the signature was generated and signed.
Example: 2021-01-01T12:10:30Z
Indexed: true
process.parent.code_signature.trusted
Type: boolean
Level: Extended
Description: Stores the trust status of the certificate chain.
Example: true
Indexed: true
process.parent.code_signature.valid
Type: boolean
Level: Extended
Description: Boolean to capture if the digital signature is verified against the binary content.
Example: true
Indexed: true
process.parent.command_line
Type: wildcard
Level: Extended
Description: Full command line that started the process.
Example: /usr/bin/ssh -l user 10.0.0.16
Indexed: true
process.parent.command_line.text
Type: match_only_text
Level: Extended
Description: Full command line that started the process.
Example: /usr/bin/ssh -l user 10.0.0.16
Indexed: true
process.parent.elf.architecture
Type: keyword
Level: Extended
Description: Machine architecture of the ELF file.
Example: x86-64
Indexed: true
process.parent.elf.byte_order
Type: keyword
Level: Extended
Description: Byte sequence of ELF file.
Example: Little Endian
Indexed: true
process.parent.elf.cpu_type
Type: keyword
Level: Extended
Description: CPU type of the ELF file.
Example: Intel
Indexed: true
process.parent.elf.creation_date
Type: date
Level: Extended
Description: Build or compile date.
Indexed: true
process.parent.elf.exports
Type: flattened
Level: Extended
Description: List of exported element names and types.
Normalization: array
Indexed: true
process.parent.elf.header.abi_version
Type: keyword
Level: Extended
Description: Version of the ELF Application Binary Interface (ABI).
Indexed: true
process.parent.elf.header.class
Type: keyword
Level: Extended
Description: Header class of the ELF file.
Indexed: true
process.parent.elf.header.data
Type: keyword
Level: Extended
Description: Data table of the ELF header.
Indexed: true
process.parent.elf.header.entrypoint
Type: long
Level: Extended
Description: Header entrypoint of the ELF file.
Indexed: true
process.parent.elf.header.object_version
Type: keyword
Level: Extended
Description: "0x1" for original ELF files.
Indexed: true
process.parent.elf.header.os_abi
Type: keyword
Level: Extended
Description: Application Binary Interface (ABI) of the Linux OS.
Indexed: true
process.parent.elf.header.type
Type: keyword
Level: Extended
Description: Header type of the ELF file.
Indexed: true
process.parent.elf.header.version
Type: keyword
Level: Extended
Description: Version of the ELF header.
Indexed: true
process.parent.elf.imports
Type: flattened
Level: Extended
Description: List of imported element names and types.
Normalization: array
Indexed: true
process.parent.elf.sections
Type: nested
Level: Extended
Description: Section information of the ELF file.
Normalization: array
Indexed: true
process.parent.elf.sections.chi2
Type: long
Level: Extended
Description: Chi-square probability distribution of the section.
Indexed: true
process.parent.elf.sections.entropy
Type: long
Level: Extended
Description: Shannon entropy calculation from the section.
Indexed: true
process.parent.elf.sections.flags
Type: keyword
Level: Extended
Description: ELF Section List flags.
Indexed: true
process.parent.elf.sections.name
Type: keyword
Level: Extended
Description: ELF Section List name.
Indexed: true
process.parent.elf.sections.physical_offset
Type: keyword
Level: Extended
Description: ELF Section List offset.
Indexed: true
process.parent.elf.sections.physical_size
Type: long
Level: Extended
Description: ELF Section List physical size.
Indexed: true
process.parent.elf.sections.type
Type: keyword
Level: Extended
Description: ELF Section List type.
Indexed: true
process.parent.elf.sections.virtual_address
Type: long
Level: Extended
Description: ELF Section List virtual address.
Indexed: true
process.parent.elf.sections.virtual_size
Type: long
Level: Extended
Description: ELF Section List virtual size.
Indexed: true
process.parent.elf.segments
Type: nested
Level: Extended
Description: ELF object segment list.
Normalization: array
Indexed: true
process.parent.elf.segments.sections
Type: keyword
Level: Extended
Description: ELF object segment sections.
Indexed: true
process.parent.elf.segments.type
Type: keyword
Level: Extended
Description: ELF object segment type.
Indexed: true
process.parent.elf.shared_libraries
Type: keyword
Level: Extended
Description: List of shared libraries used by this ELF object.
Normalization: array
Indexed: true
process.parent.elf.telfhash
Type: keyword
Level: Extended
Description: telfhash hash for ELF file.
Indexed: true
process.parent.end
Type: date
Level: Extended
Description: The time the process ended.
Example: 2016-05-23T08:05:34.853Z
Indexed: true
process.parent.entity_id
Type: keyword
Level: Extended
Description: Unique identifier for the process.
Example: c2c455d9f99375d
Indexed: true
process.parent.executable
Type: keyword
Level: Extended
Description: Absolute path to the process executable.
Example: /usr/bin/ssh
Indexed: true
process.parent.executable.text
Type: match_only_text
Level: Extended
Description: Absolute path to the process executable.
Example: /usr/bin/ssh
Indexed: true
process.parent.exit_code
Type: long
Level: Extended
Description: The exit code of the process.
Example: 137
Indexed: true
process.parent.hash.md5
Type: keyword
Level: Extended
Description: MD5 hash.
Indexed: true
process.parent.hash.sha1
Type: keyword
Level: Extended
Description: SHA1 hash.
Indexed: true
process.parent.hash.sha256
Type: keyword
Level: Extended
Description: SHA256 hash.
Indexed: true
process.parent.hash.sha512
Type: keyword
Level: Extended
Description: SHA512 hash.
Indexed: true
process.parent.hash.ssdeep
Type: keyword
Level: Extended
Description: SSDEEP hash.
Indexed: true
process.parent.name
Type: keyword
Level: Extended
Description: Process name.
Example: ssh
Indexed: true
process.parent.name.text
Type: match_only_text
Level: Extended
Description: Process name.
Example: ssh
Indexed: true
process.parent.pe.architecture
Type: keyword
Level: Extended
Description: CPU architecture target for the file.
Example: x64
Indexed: true
process.parent.pe.company
Type: keyword
Level: Extended
Description: Internal company name of the file, provided at compile-time.
Example: Microsoft Corporation
Indexed: true
process.parent.pe.description
Type: keyword
Level: Extended
Description: Internal description of the file, provided at compile-time.
Example: Paint
Indexed: true
process.parent.pe.file_version
Type: keyword
Level: Extended
Description: Process name.
Example: 6.3.9600.17415
Indexed: true
process.parent.pe.imphash
Type: keyword
Level: Extended
Description: A hash of the imports in a PE file.
Example: 0c6803c4e922103c4dca5963aad36ddf
Indexed: true
process.parent.pe.original_file_name
Type: keyword
Level: Extended
Description: Internal name of the file, provided at compile-time.
Example: MSPAINT.EXE
Indexed: true
process.parent.pe.product
Type: keyword
Level: Extended
Description: Internal product name of the file, provided at compile-time.
Example: Microsoft® Windows® Operating System
Indexed: true
process.parent.pgid
Type: long
Level: Extended
Description: Identifier of the group of processes the process belongs to.
Indexed: true
process.parent.pid
Type: long
Level: Core
Description: Process id.
Example: 4242
Indexed: true
process.parent.ppid
Type: long
Level: Extended
Description: Parent process' pid.
Example: 4241
Indexed: true
process.parent.start
Type: date
Level: Extended
Description: The time the process started.
Example: 2016-05-23T08:05:34.853Z
Indexed: true
process.parent.thread.id
Type: long
Level: Extended
Description: Thread ID.
Example: 4242
Indexed: true
process.parent.thread.name
Type: keyword
Level: Extended
Description: Thread name.
Example: thread-0
Indexed: true
process.parent.title
Type: keyword
Level: Extended
Description: Process title.
Indexed: true
process.parent.title.text
Type: match_only_text
Level: Extended
Description: Process title.
Indexed: true
process.parent.uptime
Type: long
Level: Extended
Description: Seconds the process has been up.
Example: 1325
Indexed: true
process.parent.working_directory
Type: keyword
Level: Extended
Description: The working directory of the process.
Example: /home/alice
Indexed: true
process.parent.working_directory.text
Type: match_only_text
Level: Extended
Description: The working directory of the process.
Example: /home/alice
Indexed: true
process.pe.architecture
Type: keyword
Level: Extended
Description: CPU architecture target for the file.
Example: x64
Indexed: true
process.pe.company
Type: keyword
Level: Extended
Description: Internal company name of the file, provided at compile-time.
Example: Microsoft Corporation
Indexed: true
process.pe.description
Type: keyword
Level: Extended
Description: Internal description of the file, provided at compile-time.
Example: Paint
Indexed: true
process.pe.file_version
Type: keyword
Level: Extended
Description: Process name.
Example: 6.3.9600.17415
Indexed: true
process.pe.imphash
Type: keyword
Level: Extended
Description: A hash of the imports in a PE file.
Example: 0c6803c4e922103c4dca5963aad36ddf
Indexed: true
process.pe.original_file_name
Type: keyword
Level: Extended
Description: Internal name of the file, provided at compile-time.
Example: MSPAINT.EXE
Indexed: true
process.pe.product
Type: keyword
Level: Extended
Description: Internal product name of the file, provided at compile-time.
Example: Microsoft® Windows® Operating System
Indexed: true
process.pgid
Type: long
Level: Extended
Description: Identifier of the group of processes the process belongs to.
Indexed: true
process.pid
Type: long
Level: Core
Description: Process id.
Example: 4242
Indexed: true
process.ppid
Type: long
Level: Extended
Description: Parent process' pid.
Example: 4241
Indexed: true
process.start
Type: date
Level: Extended
Description: The time the process started.
Example: 2016-05-23T08:05:34.853Z
Indexed: true
process.thread.id
Type: long
Level: Extended
Description: Thread ID.
Example: 4242
Indexed: true
process.thread.name
Type: keyword
Level: Extended
Description: Thread name.
Example: thread-0
Indexed: true
process.title
Type: keyword
Level: Extended
Description: Process title.
Indexed: true
process.title.text
Type: match_only_text
Level: Extended
Description: Process title.
Indexed: true
process.uptime
Type: long
Level: Extended
Description: Seconds the process has been up.
Example: 1325
Indexed: true
process.working_directory
Type: keyword
Level: Extended
Description: The working directory of the process.
Example: /home/alice
Indexed: true
process.working_directory.text
Type: match_only_text
Level: Extended
Description: The working directory of the process.
Example: /home/alice
Indexed: true