⚠️ Outdated Version: You are viewing ECS version 8.17, which is outdated. View the latest version (9.0)

ECS Version:

Process

These fields contain information about a process.

Fields

Field Summary

Field	Type	Level	Description
`process.args`	keyword	Extended	Array of process arguments.
`process.args_count`	long	Extended	Length of the process.args array.
`process.code_signature.digest_algorithm`	keyword	Extended	Hashing algorithm used to sign the process.
`process.code_signature.exists`	boolean	Core	Boolean to capture if a signature is present.
`process.code_signature.flags`	keyword	Extended	Code signing flags of the process
`process.code_signature.signing_id`	keyword	Extended	The identifier used to sign the process.
`process.code_signature.status`	keyword	Extended	Additional information about the certificate status.
`process.code_signature.subject_name`	keyword	Core	Subject name of the code signer
`process.code_signature.team_id`	keyword	Extended	The team identifier used to sign the process.
`process.code_signature.timestamp`	date	Extended	When the signature was generated and signed.
`process.code_signature.trusted`	boolean	Extended	Stores the trust status of the certificate chain.
`process.code_signature.valid`	boolean	Extended	Boolean to capture if the digital signature is verified against the binary content.
`process.command_line`	wildcard	Extended	Full command line that started the process.
`process.command_line.text`	match_only_text	Extended	Full command line that started the process.
`process.elf.architecture`	keyword	Extended	Machine architecture of the ELF file.
`process.elf.byte_order`	keyword	Extended	Byte sequence of ELF file.
`process.elf.cpu_type`	keyword	Extended	CPU type of the ELF file.
`process.elf.creation_date`	date	Extended	Build or compile date.
`process.elf.exports`	flattened	Extended	List of exported element names and types.
`process.elf.go_import_hash`	keyword	Extended	A hash of the Go language imports in an ELF file.
`process.elf.go_imports`	flattened	Extended	List of imported Go language element names and types.
`process.elf.go_imports_names_entropy`	long	Extended	Shannon entropy calculation from the list of Go imports.
`process.elf.go_imports_names_var_entropy`	long	Extended	Variance for Shannon entropy calculation from the list of Go imports.
`process.elf.go_stripped`	boolean	Extended	Whether the file is a stripped or obfuscated Go executable.
`process.elf.header.abi_version`	keyword	Extended	Version of the ELF Application Binary Interface (ABI).
`process.elf.header.class`	keyword	Extended	Header class of the ELF file.
`process.elf.header.data`	keyword	Extended	Data table of the ELF header.
`process.elf.header.entrypoint`	long	Extended	Header entrypoint of the ELF file.
`process.elf.header.object_version`	keyword	Extended	"0x1" for original ELF files.
`process.elf.header.os_abi`	keyword	Extended	Application Binary Interface (ABI) of the Linux OS.
`process.elf.header.type`	keyword	Extended	Header type of the ELF file.
`process.elf.header.version`	keyword	Extended	Version of the ELF header.
`process.elf.import_hash`	keyword	Extended	A hash of the imports in an ELF file.
`process.elf.imports`	flattened	Extended	List of imported element names and types.
`process.elf.imports_names_entropy`	long	Extended	Shannon entropy calculation from the list of imported element names and types.
`process.elf.imports_names_var_entropy`	long	Extended	Variance for Shannon entropy calculation from the list of imported element names and types.
`process.elf.sections`	nested	Extended	Section information of the ELF file.
`process.elf.sections.chi2`	long	Extended	Chi-square probability distribution of the section.
`process.elf.sections.entropy`	long	Extended	Shannon entropy calculation from the section.
`process.elf.sections.flags`	keyword	Extended	ELF Section List flags.
`process.elf.sections.name`	keyword	Extended	ELF Section List name.
`process.elf.sections.physical_offset`	keyword	Extended	ELF Section List offset.
`process.elf.sections.physical_size`	long	Extended	ELF Section List physical size.
`process.elf.sections.type`	keyword	Extended	ELF Section List type.
`process.elf.sections.var_entropy`	long	Extended	Variance for Shannon entropy calculation from the section.
`process.elf.sections.virtual_address`	long	Extended	ELF Section List virtual address.
`process.elf.sections.virtual_size`	long	Extended	ELF Section List virtual size.
`process.elf.segments`	nested	Extended	ELF object segment list.
`process.elf.segments.sections`	keyword	Extended	ELF object segment sections.
`process.elf.segments.type`	keyword	Extended	ELF object segment type.
`process.elf.shared_libraries`	keyword	Extended	List of shared libraries used by this ELF object.
`process.elf.telfhash`	keyword	Extended	telfhash hash for ELF file.
`process.end`	date	Extended	The time the process ended.
`process.entity_id`	keyword	Extended	Unique identifier for the process.
`process.entry_leader.args`	keyword	Extended	Array of process arguments.
`process.entry_leader.args_count`	long	Extended	Length of the process.args array.
`process.entry_leader.attested_groups.name`	keyword	Extended	Name of the group.
`process.entry_leader.attested_user.id`	keyword	Core	Unique identifier of the user.
`process.entry_leader.attested_user.name`	keyword	Core	Short name or login of the user.
`process.entry_leader.attested_user.name.text`	match_only_text	Core	Short name or login of the user.
`process.entry_leader.command_line`	wildcard	Extended	Full command line that started the process.
`process.entry_leader.command_line.text`	match_only_text	Extended	Full command line that started the process.
`process.entry_leader.entity_id`	keyword	Extended	Unique identifier for the process.
`process.entry_leader.entry_meta.source.ip`	ip	Core	IP address of the source.
`process.entry_leader.entry_meta.type`	keyword	Extended	The entry type for the entry session leader.
`process.entry_leader.executable`	keyword	Extended	Absolute path to the process executable.
`process.entry_leader.executable.text`	match_only_text	Extended	Absolute path to the process executable.
`process.entry_leader.group.id`	keyword	Extended	Unique identifier for the group on the system/platform.
`process.entry_leader.group.name`	keyword	Extended	Name of the group.
`process.entry_leader.interactive`	boolean	Extended	Whether the process is connected to an interactive shell.
`process.entry_leader.name`	keyword	Extended	Process name.
`process.entry_leader.name.text`	match_only_text	Extended	Process name.
`process.entry_leader.parent.entity_id`	keyword	Extended	Unique identifier for the process.
`process.entry_leader.parent.pid`	long	Core	Process id.
`process.entry_leader.parent.session_leader.entity_id`	keyword	Extended	Unique identifier for the process.
`process.entry_leader.parent.session_leader.pid`	long	Core	Process id.
`process.entry_leader.parent.session_leader.start`	date	Extended	The time the process started.
`process.entry_leader.parent.session_leader.vpid`	long	Core	Virtual process id.
`process.entry_leader.parent.start`	date	Extended	The time the process started.
`process.entry_leader.parent.vpid`	long	Core	Virtual process id.
`process.entry_leader.pid`	long	Core	Process id.
`process.entry_leader.real_group.id`	keyword	Extended	Unique identifier for the group on the system/platform.
`process.entry_leader.real_group.name`	keyword	Extended	Name of the group.
`process.entry_leader.real_user.id`	keyword	Core	Unique identifier of the user.
`process.entry_leader.real_user.name`	keyword	Core	Short name or login of the user.
`process.entry_leader.real_user.name.text`	match_only_text	Core	Short name or login of the user.
`process.entry_leader.same_as_process`	boolean	Extended	This boolean is used to identify if a leader process is the same as the top level process.
`process.entry_leader.saved_group.id`	keyword	Extended	Unique identifier for the group on the system/platform.
`process.entry_leader.saved_group.name`	keyword	Extended	Name of the group.
`process.entry_leader.saved_user.id`	keyword	Core	Unique identifier of the user.
`process.entry_leader.saved_user.name`	keyword	Core	Short name or login of the user.
`process.entry_leader.saved_user.name.text`	match_only_text	Core	Short name or login of the user.
`process.entry_leader.start`	date	Extended	The time the process started.
`process.entry_leader.supplemental_groups.id`	keyword	Extended	Unique identifier for the group on the system/platform.
`process.entry_leader.supplemental_groups.name`	keyword	Extended	Name of the group.
`process.entry_leader.tty`	object	Extended	Information about the controlling TTY device.
`process.entry_leader.tty.char_device.major`	long	Extended	The TTY character device's major number.
`process.entry_leader.tty.char_device.minor`	long	Extended	The TTY character device's minor number.
`process.entry_leader.user.id`	keyword	Core	Unique identifier of the user.
`process.entry_leader.user.name`	keyword	Core	Short name or login of the user.
`process.entry_leader.user.name.text`	match_only_text	Core	Short name or login of the user.
`process.entry_leader.vpid`	long	Core	Virtual process id.
`process.entry_leader.working_directory`	keyword	Extended	The working directory of the process.
`process.entry_leader.working_directory.text`	match_only_text	Extended	The working directory of the process.
`process.env_vars`	keyword	Extended	Array of environment variable bindings.
`process.executable`	keyword	Extended	Absolute path to the process executable.
`process.executable.text`	match_only_text	Extended	Absolute path to the process executable.
`process.exit_code`	long	Extended	The exit code of the process.
`process.group_leader.args`	keyword	Extended	Array of process arguments.
`process.group_leader.args_count`	long	Extended	Length of the process.args array.
`process.group_leader.command_line`	wildcard	Extended	Full command line that started the process.
`process.group_leader.command_line.text`	match_only_text	Extended	Full command line that started the process.
`process.group_leader.entity_id`	keyword	Extended	Unique identifier for the process.
`process.group_leader.executable`	keyword	Extended	Absolute path to the process executable.
`process.group_leader.executable.text`	match_only_text	Extended	Absolute path to the process executable.
`process.group_leader.group.id`	keyword	Extended	Unique identifier for the group on the system/platform.
`process.group_leader.group.name`	keyword	Extended	Name of the group.
`process.group_leader.interactive`	boolean	Extended	Whether the process is connected to an interactive shell.
`process.group_leader.name`	keyword	Extended	Process name.
`process.group_leader.name.text`	match_only_text	Extended	Process name.
`process.group_leader.pid`	long	Core	Process id.
`process.group_leader.real_group.id`	keyword	Extended	Unique identifier for the group on the system/platform.
`process.group_leader.real_group.name`	keyword	Extended	Name of the group.
`process.group_leader.real_user.id`	keyword	Core	Unique identifier of the user.
`process.group_leader.real_user.name`	keyword	Core	Short name or login of the user.
`process.group_leader.real_user.name.text`	match_only_text	Core	Short name or login of the user.
`process.group_leader.same_as_process`	boolean	Extended	This boolean is used to identify if a leader process is the same as the top level process.
`process.group_leader.saved_group.id`	keyword	Extended	Unique identifier for the group on the system/platform.
`process.group_leader.saved_group.name`	keyword	Extended	Name of the group.
`process.group_leader.saved_user.id`	keyword	Core	Unique identifier of the user.
`process.group_leader.saved_user.name`	keyword	Core	Short name or login of the user.
`process.group_leader.saved_user.name.text`	match_only_text	Core	Short name or login of the user.
`process.group_leader.start`	date	Extended	The time the process started.
`process.group_leader.supplemental_groups.id`	keyword	Extended	Unique identifier for the group on the system/platform.
`process.group_leader.supplemental_groups.name`	keyword	Extended	Name of the group.
`process.group_leader.tty`	object	Extended	Information about the controlling TTY device.
`process.group_leader.tty.char_device.major`	long	Extended	The TTY character device's major number.
`process.group_leader.tty.char_device.minor`	long	Extended	The TTY character device's minor number.
`process.group_leader.user.id`	keyword	Core	Unique identifier of the user.
`process.group_leader.user.name`	keyword	Core	Short name or login of the user.
`process.group_leader.user.name.text`	match_only_text	Core	Short name or login of the user.
`process.group_leader.vpid`	long	Core	Virtual process id.
`process.group_leader.working_directory`	keyword	Extended	The working directory of the process.
`process.group_leader.working_directory.text`	match_only_text	Extended	The working directory of the process.
`process.group.id`	keyword	Extended	Unique identifier for the group on the system/platform.
`process.group.name`	keyword	Extended	Name of the group.
`process.hash.cdhash`	keyword	Extended	The Code Directory (CD) hash of an executable.
`process.hash.md5`	keyword	Extended	MD5 hash.
`process.hash.sha1`	keyword	Extended	SHA1 hash.
`process.hash.sha256`	keyword	Extended	SHA256 hash.
`process.hash.sha384`	keyword	Extended	SHA384 hash.
`process.hash.sha512`	keyword	Extended	SHA512 hash.
`process.hash.ssdeep`	keyword	Extended	SSDEEP hash.
`process.hash.tlsh`	keyword	Extended	TLSH hash.
`process.interactive`	boolean	Extended	Whether the process is connected to an interactive shell.
`process.io`	object	Extended	A chunk of input or output (IO) from a single process.
`process.io.bytes_skipped`	object	Extended	An array of byte offsets and lengths denoting where IO data has been skipped.
`process.io.bytes_skipped.length`	long	Extended	The length of bytes skipped.
`process.io.bytes_skipped.offset`	long	Extended	The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
`process.io.max_bytes_per_process_exceeded`	boolean	Extended	If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting.
`process.io.text`	wildcard	Extended	A chunk of output or input sanitized to UTF-8.
`process.io.total_bytes_captured`	long	Extended	The total number of bytes captured in this event.
`process.io.total_bytes_skipped`	long	Extended	The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
`process.io.type`	keyword	Extended	The type of object on which the IO action (read or write) was taken.
`process.macho.go_import_hash`	keyword	Extended	A hash of the Go language imports in a Mach-O file.
`process.macho.go_imports`	flattened	Extended	List of imported Go language element names and types.
`process.macho.go_imports_names_entropy`	long	Extended	Shannon entropy calculation from the list of Go imports.
`process.macho.go_imports_names_var_entropy`	long	Extended	Variance for Shannon entropy calculation from the list of Go imports.
`process.macho.go_stripped`	boolean	Extended	Whether the file is a stripped or obfuscated Go executable.
`process.macho.import_hash`	keyword	Extended	A hash of the imports in a Mach-O file.
`process.macho.imports`	flattened	Extended	List of imported element names and types.
`process.macho.imports_names_entropy`	long	Extended	Shannon entropy calculation from the list of imported element names and types.
`process.macho.imports_names_var_entropy`	long	Extended	Variance for Shannon entropy calculation from the list of imported element names and types.
`process.macho.sections`	nested	Extended	Section information of the Mach-O file.
`process.macho.sections.entropy`	long	Extended	Shannon entropy calculation from the section.
`process.macho.sections.name`	keyword	Extended	Mach-O Section List name.
`process.macho.sections.physical_size`	long	Extended	Mach-O Section List physical size.
`process.macho.sections.var_entropy`	long	Extended	Variance for Shannon entropy calculation from the section.
`process.macho.sections.virtual_size`	long	Extended	Mach-O Section List virtual size. This is always the same as `physical_size`.
`process.macho.symhash`	keyword	Extended	A hash of the imports in a Mach-O file.
`process.name`	keyword	Extended	Process name.
`process.name.text`	match_only_text	Extended	Process name.
`process.parent.args`	keyword	Extended	Array of process arguments.
`process.parent.args_count`	long	Extended	Length of the process.args array.
`process.parent.code_signature.digest_algorithm`	keyword	Extended	Hashing algorithm used to sign the process.
`process.parent.code_signature.exists`	boolean	Core	Boolean to capture if a signature is present.
`process.parent.code_signature.flags`	keyword	Extended	Code signing flags of the process
`process.parent.code_signature.signing_id`	keyword	Extended	The identifier used to sign the process.
`process.parent.code_signature.status`	keyword	Extended	Additional information about the certificate status.
`process.parent.code_signature.subject_name`	keyword	Core	Subject name of the code signer
`process.parent.code_signature.team_id`	keyword	Extended	The team identifier used to sign the process.
`process.parent.code_signature.timestamp`	date	Extended	When the signature was generated and signed.
`process.parent.code_signature.trusted`	boolean	Extended	Stores the trust status of the certificate chain.
`process.parent.code_signature.valid`	boolean	Extended	Boolean to capture if the digital signature is verified against the binary content.
`process.parent.command_line`	wildcard	Extended	Full command line that started the process.
`process.parent.command_line.text`	match_only_text	Extended	Full command line that started the process.
`process.parent.elf.architecture`	keyword	Extended	Machine architecture of the ELF file.
`process.parent.elf.byte_order`	keyword	Extended	Byte sequence of ELF file.
`process.parent.elf.cpu_type`	keyword	Extended	CPU type of the ELF file.
`process.parent.elf.creation_date`	date	Extended	Build or compile date.
`process.parent.elf.exports`	flattened	Extended	List of exported element names and types.
`process.parent.elf.go_import_hash`	keyword	Extended	A hash of the Go language imports in an ELF file.
`process.parent.elf.go_imports`	flattened	Extended	List of imported Go language element names and types.
`process.parent.elf.go_imports_names_entropy`	long	Extended	Shannon entropy calculation from the list of Go imports.
`process.parent.elf.go_imports_names_var_entropy`	long	Extended	Variance for Shannon entropy calculation from the list of Go imports.
`process.parent.elf.go_stripped`	boolean	Extended	Whether the file is a stripped or obfuscated Go executable.
`process.parent.elf.header.abi_version`	keyword	Extended	Version of the ELF Application Binary Interface (ABI).
`process.parent.elf.header.class`	keyword	Extended	Header class of the ELF file.
`process.parent.elf.header.data`	keyword	Extended	Data table of the ELF header.
`process.parent.elf.header.entrypoint`	long	Extended	Header entrypoint of the ELF file.
`process.parent.elf.header.object_version`	keyword	Extended	"0x1" for original ELF files.
`process.parent.elf.header.os_abi`	keyword	Extended	Application Binary Interface (ABI) of the Linux OS.
`process.parent.elf.header.type`	keyword	Extended	Header type of the ELF file.
`process.parent.elf.header.version`	keyword	Extended	Version of the ELF header.
`process.parent.elf.import_hash`	keyword	Extended	A hash of the imports in an ELF file.
`process.parent.elf.imports`	flattened	Extended	List of imported element names and types.
`process.parent.elf.imports_names_entropy`	long	Extended	Shannon entropy calculation from the list of imported element names and types.
`process.parent.elf.imports_names_var_entropy`	long	Extended	Variance for Shannon entropy calculation from the list of imported element names and types.
`process.parent.elf.sections`	nested	Extended	Section information of the ELF file.
`process.parent.elf.sections.chi2`	long	Extended	Chi-square probability distribution of the section.
`process.parent.elf.sections.entropy`	long	Extended	Shannon entropy calculation from the section.
`process.parent.elf.sections.flags`	keyword	Extended	ELF Section List flags.
`process.parent.elf.sections.name`	keyword	Extended	ELF Section List name.
`process.parent.elf.sections.physical_offset`	keyword	Extended	ELF Section List offset.
`process.parent.elf.sections.physical_size`	long	Extended	ELF Section List physical size.
`process.parent.elf.sections.type`	keyword	Extended	ELF Section List type.
`process.parent.elf.sections.var_entropy`	long	Extended	Variance for Shannon entropy calculation from the section.
`process.parent.elf.sections.virtual_address`	long	Extended	ELF Section List virtual address.
`process.parent.elf.sections.virtual_size`	long	Extended	ELF Section List virtual size.
`process.parent.elf.segments`	nested	Extended	ELF object segment list.
`process.parent.elf.segments.sections`	keyword	Extended	ELF object segment sections.
`process.parent.elf.segments.type`	keyword	Extended	ELF object segment type.
`process.parent.elf.shared_libraries`	keyword	Extended	List of shared libraries used by this ELF object.
`process.parent.elf.telfhash`	keyword	Extended	telfhash hash for ELF file.
`process.parent.end`	date	Extended	The time the process ended.
`process.parent.entity_id`	keyword	Extended	Unique identifier for the process.
`process.parent.executable`	keyword	Extended	Absolute path to the process executable.
`process.parent.executable.text`	match_only_text	Extended	Absolute path to the process executable.
`process.parent.exit_code`	long	Extended	The exit code of the process.
`process.parent.group_leader.entity_id`	keyword	Extended	Unique identifier for the process.
`process.parent.group_leader.pid`	long	Core	Process id.
`process.parent.group_leader.start`	date	Extended	The time the process started.
`process.parent.group_leader.vpid`	long	Core	Virtual process id.
`process.parent.group.id`	keyword	Extended	Unique identifier for the group on the system/platform.
`process.parent.group.name`	keyword	Extended	Name of the group.
`process.parent.hash.cdhash`	keyword	Extended	The Code Directory (CD) hash of an executable.
`process.parent.hash.md5`	keyword	Extended	MD5 hash.
`process.parent.hash.sha1`	keyword	Extended	SHA1 hash.
`process.parent.hash.sha256`	keyword	Extended	SHA256 hash.
`process.parent.hash.sha384`	keyword	Extended	SHA384 hash.
`process.parent.hash.sha512`	keyword	Extended	SHA512 hash.
`process.parent.hash.ssdeep`	keyword	Extended	SSDEEP hash.
`process.parent.hash.tlsh`	keyword	Extended	TLSH hash.
`process.parent.interactive`	boolean	Extended	Whether the process is connected to an interactive shell.
`process.parent.macho.go_import_hash`	keyword	Extended	A hash of the Go language imports in a Mach-O file.
`process.parent.macho.go_imports`	flattened	Extended	List of imported Go language element names and types.
`process.parent.macho.go_imports_names_entropy`	long	Extended	Shannon entropy calculation from the list of Go imports.
`process.parent.macho.go_imports_names_var_entropy`	long	Extended	Variance for Shannon entropy calculation from the list of Go imports.
`process.parent.macho.go_stripped`	boolean	Extended	Whether the file is a stripped or obfuscated Go executable.
`process.parent.macho.import_hash`	keyword	Extended	A hash of the imports in a Mach-O file.
`process.parent.macho.imports`	flattened	Extended	List of imported element names and types.
`process.parent.macho.imports_names_entropy`	long	Extended	Shannon entropy calculation from the list of imported element names and types.
`process.parent.macho.imports_names_var_entropy`	long	Extended	Variance for Shannon entropy calculation from the list of imported element names and types.
`process.parent.macho.sections`	nested	Extended	Section information of the Mach-O file.
`process.parent.macho.sections.entropy`	long	Extended	Shannon entropy calculation from the section.
`process.parent.macho.sections.name`	keyword	Extended	Mach-O Section List name.
`process.parent.macho.sections.physical_size`	long	Extended	Mach-O Section List physical size.
`process.parent.macho.sections.var_entropy`	long	Extended	Variance for Shannon entropy calculation from the section.
`process.parent.macho.sections.virtual_size`	long	Extended	Mach-O Section List virtual size. This is always the same as `physical_size`.
`process.parent.macho.symhash`	keyword	Extended	A hash of the imports in a Mach-O file.
`process.parent.name`	keyword	Extended	Process name.
`process.parent.name.text`	match_only_text	Extended	Process name.
`process.parent.pe.architecture`	keyword	Extended	CPU architecture target for the file.
`process.parent.pe.company`	keyword	Extended	Internal company name of the file, provided at compile-time.
`process.parent.pe.description`	keyword	Extended	Internal description of the file, provided at compile-time.
`process.parent.pe.file_version`	keyword	Extended	Process name.
`process.parent.pe.go_import_hash`	keyword	Extended	A hash of the Go language imports in a PE file.
`process.parent.pe.go_imports`	flattened	Extended	List of imported Go language element names and types.
`process.parent.pe.go_imports_names_entropy`	long	Extended	Shannon entropy calculation from the list of Go imports.
`process.parent.pe.go_imports_names_var_entropy`	long	Extended	Variance for Shannon entropy calculation from the list of Go imports.
`process.parent.pe.go_stripped`	boolean	Extended	Whether the file is a stripped or obfuscated Go executable.
`process.parent.pe.imphash`	keyword	Extended	A hash of the imports in a PE file.
`process.parent.pe.import_hash`	keyword	Extended	A hash of the imports in a PE file.
`process.parent.pe.imports`	flattened	Extended	List of imported element names and types.
`process.parent.pe.imports_names_entropy`	long	Extended	Shannon entropy calculation from the list of imported element names and types.
`process.parent.pe.imports_names_var_entropy`	long	Extended	Variance for Shannon entropy calculation from the list of imported element names and types.
`process.parent.pe.original_file_name`	keyword	Extended	Internal name of the file, provided at compile-time.
`process.parent.pe.pehash`	keyword	Extended	A hash of the PE header and data from one or more PE sections.
`process.parent.pe.product`	keyword	Extended	Internal product name of the file, provided at compile-time.
`process.parent.pe.sections`	nested	Extended	Section information of the PE file.
`process.parent.pe.sections.entropy`	long	Extended	Shannon entropy calculation from the section.
`process.parent.pe.sections.name`	keyword	Extended	PE Section List name.
`process.parent.pe.sections.physical_size`	long	Extended	PE Section List physical size.
`process.parent.pe.sections.var_entropy`	long	Extended	Variance for Shannon entropy calculation from the section.
`process.parent.pe.sections.virtual_size`	long	Extended	PE Section List virtual size. This is always the same as `physical_size`.
`process.parent.pgid`	long	Extended	Deprecated identifier of the group of processes the process belongs to.
`process.parent.pid`	long	Core	Process id.
`process.parent.real_group.id`	keyword	Extended	Unique identifier for the group on the system/platform.
`process.parent.real_group.name`	keyword	Extended	Name of the group.
`process.parent.real_user.id`	keyword	Core	Unique identifier of the user.
`process.parent.real_user.name`	keyword	Core	Short name or login of the user.
`process.parent.real_user.name.text`	match_only_text	Core	Short name or login of the user.
`process.parent.saved_group.id`	keyword	Extended	Unique identifier for the group on the system/platform.
`process.parent.saved_group.name`	keyword	Extended	Name of the group.
`process.parent.saved_user.id`	keyword	Core	Unique identifier of the user.
`process.parent.saved_user.name`	keyword	Core	Short name or login of the user.
`process.parent.saved_user.name.text`	match_only_text	Core	Short name or login of the user.
`process.parent.start`	date	Extended	The time the process started.
`process.parent.supplemental_groups.id`	keyword	Extended	Unique identifier for the group on the system/platform.
`process.parent.supplemental_groups.name`	keyword	Extended	Name of the group.
`process.parent.thread.capabilities.effective`	keyword	Extended	Array of capabilities used for permission checks.
`process.parent.thread.capabilities.permitted`	keyword	Extended	Array of capabilities a thread could assume.
`process.parent.thread.id`	long	Extended	Thread ID.
`process.parent.thread.name`	keyword	Extended	Thread name.
`process.parent.title`	keyword	Extended	Process title.
`process.parent.title.text`	match_only_text	Extended	Process title.
`process.parent.tty`	object	Extended	Information about the controlling TTY device.
`process.parent.tty.char_device.major`	long	Extended	The TTY character device's major number.
`process.parent.tty.char_device.minor`	long	Extended	The TTY character device's minor number.
`process.parent.uptime`	long	Extended	Seconds the process has been up.
`process.parent.user.id`	keyword	Core	Unique identifier of the user.
`process.parent.user.name`	keyword	Core	Short name or login of the user.
`process.parent.user.name.text`	match_only_text	Core	Short name or login of the user.
`process.parent.vpid`	long	Core	Virtual process id.
`process.parent.working_directory`	keyword	Extended	The working directory of the process.
`process.parent.working_directory.text`	match_only_text	Extended	The working directory of the process.
`process.pe.architecture`	keyword	Extended	CPU architecture target for the file.
`process.pe.company`	keyword	Extended	Internal company name of the file, provided at compile-time.
`process.pe.description`	keyword	Extended	Internal description of the file, provided at compile-time.
`process.pe.file_version`	keyword	Extended	Process name.
`process.pe.go_import_hash`	keyword	Extended	A hash of the Go language imports in a PE file.
`process.pe.go_imports`	flattened	Extended	List of imported Go language element names and types.
`process.pe.go_imports_names_entropy`	long	Extended	Shannon entropy calculation from the list of Go imports.
`process.pe.go_imports_names_var_entropy`	long	Extended	Variance for Shannon entropy calculation from the list of Go imports.
`process.pe.go_stripped`	boolean	Extended	Whether the file is a stripped or obfuscated Go executable.
`process.pe.imphash`	keyword	Extended	A hash of the imports in a PE file.
`process.pe.import_hash`	keyword	Extended	A hash of the imports in a PE file.
`process.pe.imports`	flattened	Extended	List of imported element names and types.
`process.pe.imports_names_entropy`	long	Extended	Shannon entropy calculation from the list of imported element names and types.
`process.pe.imports_names_var_entropy`	long	Extended	Variance for Shannon entropy calculation from the list of imported element names and types.
`process.pe.original_file_name`	keyword	Extended	Internal name of the file, provided at compile-time.
`process.pe.pehash`	keyword	Extended	A hash of the PE header and data from one or more PE sections.
`process.pe.product`	keyword	Extended	Internal product name of the file, provided at compile-time.
`process.pe.sections`	nested	Extended	Section information of the PE file.
`process.pe.sections.entropy`	long	Extended	Shannon entropy calculation from the section.
`process.pe.sections.name`	keyword	Extended	PE Section List name.
`process.pe.sections.physical_size`	long	Extended	PE Section List physical size.
`process.pe.sections.var_entropy`	long	Extended	Variance for Shannon entropy calculation from the section.
`process.pe.sections.virtual_size`	long	Extended	PE Section List virtual size. This is always the same as `physical_size`.
`process.pgid`	long	Extended	Deprecated identifier of the group of processes the process belongs to.
`process.pid`	long	Core	Process id.
`process.previous.args`	keyword	Extended	Array of process arguments.
`process.previous.args_count`	long	Extended	Length of the process.args array.
`process.previous.executable`	keyword	Extended	Absolute path to the process executable.
`process.previous.executable.text`	match_only_text	Extended	Absolute path to the process executable.
`process.real_group.id`	keyword	Extended	Unique identifier for the group on the system/platform.
`process.real_group.name`	keyword	Extended	Name of the group.
`process.real_user.id`	keyword	Core	Unique identifier of the user.
`process.real_user.name`	keyword	Core	Short name or login of the user.
`process.real_user.name.text`	match_only_text	Core	Short name or login of the user.
`process.saved_group.id`	keyword	Extended	Unique identifier for the group on the system/platform.
`process.saved_group.name`	keyword	Extended	Name of the group.
`process.saved_user.id`	keyword	Core	Unique identifier of the user.
`process.saved_user.name`	keyword	Core	Short name or login of the user.
`process.saved_user.name.text`	match_only_text	Core	Short name or login of the user.
`process.session_leader.args`	keyword	Extended	Array of process arguments.
`process.session_leader.args_count`	long	Extended	Length of the process.args array.
`process.session_leader.command_line`	wildcard	Extended	Full command line that started the process.
`process.session_leader.command_line.text`	match_only_text	Extended	Full command line that started the process.
`process.session_leader.entity_id`	keyword	Extended	Unique identifier for the process.
`process.session_leader.executable`	keyword	Extended	Absolute path to the process executable.
`process.session_leader.executable.text`	match_only_text	Extended	Absolute path to the process executable.
`process.session_leader.group.id`	keyword	Extended	Unique identifier for the group on the system/platform.
`process.session_leader.group.name`	keyword	Extended	Name of the group.
`process.session_leader.interactive`	boolean	Extended	Whether the process is connected to an interactive shell.
`process.session_leader.name`	keyword	Extended	Process name.
`process.session_leader.name.text`	match_only_text	Extended	Process name.
`process.session_leader.parent.entity_id`	keyword	Extended	Unique identifier for the process.
`process.session_leader.parent.pid`	long	Core	Process id.
`process.session_leader.parent.session_leader.entity_id`	keyword	Extended	Unique identifier for the process.
`process.session_leader.parent.session_leader.pid`	long	Core	Process id.
`process.session_leader.parent.session_leader.start`	date	Extended	The time the process started.
`process.session_leader.parent.session_leader.vpid`	long	Core	Virtual process id.
`process.session_leader.parent.start`	date	Extended	The time the process started.
`process.session_leader.parent.vpid`	long	Core	Virtual process id.
`process.session_leader.pid`	long	Core	Process id.
`process.session_leader.real_group.id`	keyword	Extended	Unique identifier for the group on the system/platform.
`process.session_leader.real_group.name`	keyword	Extended	Name of the group.
`process.session_leader.real_user.id`	keyword	Core	Unique identifier of the user.
`process.session_leader.real_user.name`	keyword	Core	Short name or login of the user.
`process.session_leader.real_user.name.text`	match_only_text	Core	Short name or login of the user.
`process.session_leader.same_as_process`	boolean	Extended	This boolean is used to identify if a leader process is the same as the top level process.
`process.session_leader.saved_group.id`	keyword	Extended	Unique identifier for the group on the system/platform.
`process.session_leader.saved_group.name`	keyword	Extended	Name of the group.
`process.session_leader.saved_user.id`	keyword	Core	Unique identifier of the user.
`process.session_leader.saved_user.name`	keyword	Core	Short name or login of the user.
`process.session_leader.saved_user.name.text`	match_only_text	Core	Short name or login of the user.
`process.session_leader.start`	date	Extended	The time the process started.
`process.session_leader.supplemental_groups.id`	keyword	Extended	Unique identifier for the group on the system/platform.
`process.session_leader.supplemental_groups.name`	keyword	Extended	Name of the group.
`process.session_leader.tty`	object	Extended	Information about the controlling TTY device.
`process.session_leader.tty.char_device.major`	long	Extended	The TTY character device's major number.
`process.session_leader.tty.char_device.minor`	long	Extended	The TTY character device's minor number.
`process.session_leader.user.id`	keyword	Core	Unique identifier of the user.
`process.session_leader.user.name`	keyword	Core	Short name or login of the user.
`process.session_leader.user.name.text`	match_only_text	Core	Short name or login of the user.
`process.session_leader.vpid`	long	Core	Virtual process id.
`process.session_leader.working_directory`	keyword	Extended	The working directory of the process.
`process.session_leader.working_directory.text`	match_only_text	Extended	The working directory of the process.
`process.start`	date	Extended	The time the process started.
`process.supplemental_groups.id`	keyword	Extended	Unique identifier for the group on the system/platform.
`process.supplemental_groups.name`	keyword	Extended	Name of the group.
`process.thread.capabilities.effective`	keyword	Extended	Array of capabilities used for permission checks.
`process.thread.capabilities.permitted`	keyword	Extended	Array of capabilities a thread could assume.
`process.thread.id`	long	Extended	Thread ID.
`process.thread.name`	keyword	Extended	Thread name.
`process.title`	keyword	Extended	Process title.
`process.title.text`	match_only_text	Extended	Process title.
`process.tty`	object	Extended	Information about the controlling TTY device.
`process.tty.char_device.major`	long	Extended	The TTY character device's major number.
`process.tty.char_device.minor`	long	Extended	The TTY character device's minor number.
`process.tty.columns`	long	Extended	The number of character columns per line. e.g terminal width
`process.tty.rows`	long	Extended	The number of character rows in the terminal. e.g terminal height
`process.uptime`	long	Extended	Seconds the process has been up.
`process.user.id`	keyword	Core	Unique identifier of the user.
`process.user.name`	keyword	Core	Short name or login of the user.
`process.user.name.text`	match_only_text	Core	Short name or login of the user.
`process.vpid`	long	Core	Virtual process id.
`process.working_directory`	keyword	Extended	The working directory of the process.
`process.working_directory.text`	match_only_text	Extended	The working directory of the process.

Field Details

`process.args`

Type: keyword

Type: keyword

Level: Extended

Description: CPU type of the ELF file.

Example: Intel

Indexed: true

`process.elf.imports`

Type: flattened

Level: Extended

Description: List of imported element names and types.

Normalization: array

Indexed: true

`process.elf.imports_names_entropy`

Type: long

Level: Extended

Description: Shannon entropy calculation from the list of imported element names and types.

Indexed: true

`process.elf.imports_names_var_entropy`

Type: long

Level: Extended

Description: Variance for Shannon entropy calculation from the list of imported element names and types.

Indexed: true

`process.elf.sections`

Type: nested

`process.elf.segments.sections`

Type: keyword

Level: Extended

Description: ELF object segment sections.

Indexed: true

`process.elf.segments.type`

Type: keyword

Level: Extended

Description: ELF object segment type.

Indexed: true

`process.elf.shared_libraries`

Type: keyword

Level: Extended

Description: List of shared libraries used by this ELF object.

Normalization: array

Indexed: true

Type: keyword

Level: Extended

Description: Array of process arguments.

Example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"]

Normalization: array

Indexed: true

`process.entry_leader.args_count`

Type: long

Level: Extended

Description: Length of the process.args array.

Example: 4

Indexed: true

Type: ip

Level: Core

Description: IP address of the source.

Indexed: true

Type: keyword

Level: Extended

Description: Unique identifier for the group on the system/platform.

Indexed: true

Type: long

Level: Core

Description: Process id.

Example: 4242

Indexed: true

`process.entry_leader.real_group.id`

Type: keyword

Level: Extended

Description: Unique identifier for the group on the system/platform.

Indexed: true

Type: keyword

Level: Extended

Description: Unique identifier for the group on the system/platform.

Indexed: true

Type: keyword

Level: Extended

Description: Unique identifier for the group on the system/platform.

Indexed: true

`process.entry_leader.supplemental_groups.name`

Type: keyword

Level: Extended

Description: Name of the group.

Indexed: true

Type: keyword

Level: Extended

Description: Array of environment variable bindings.

Example: ["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]

Normalization: array

Indexed: true

`process.executable`

Type: keyword

Level: Extended

Description: Absolute path to the process executable.

Example: /usr/bin/ssh

Indexed: true

`process.executable.text`

Type: match_only_text

Level: Extended

Description: Absolute path to the process executable.

Example: /usr/bin/ssh

Indexed: true

`process.exit_code`

Type: long

Level: Extended

Description: The exit code of the process.

Example: 137

Indexed: true

`process.group_leader.args`

Type: keyword

Type: match_only_text

Level: Extended

Description: Absolute path to the process executable.

Example: /usr/bin/ssh

Indexed: true

`process.group_leader.group.id`

Type: keyword

Level: Extended

Description: Unique identifier for the group on the system/platform.

Indexed: true

Type: keyword

Level: Extended

Description: Unique identifier for the group on the system/platform.

Indexed: true

Type: keyword

Level: Extended

Description: Unique identifier for the group on the system/platform.

Indexed: true

Type: keyword

Level: Extended

Description: Unique identifier for the group on the system/platform.

Indexed: true

`process.group_leader.supplemental_groups.name`

Type: keyword

Level: Extended

Description: Name of the group.

Indexed: true

Type: keyword

Level: Extended

Description: Unique identifier for the group on the system/platform.

Indexed: true

`process.group.name`

Type: keyword

Level: Extended

Description: Name of the group.

Indexed: true

`process.hash.cdhash`

Type: keyword

Type: boolean

Level: Extended

Description: Whether the process is connected to an interactive shell.

Example: True

Indexed: true

`process.io`

Type: object

Level: Extended

Description: A chunk of input or output (IO) from a single process.

Indexed: true

`process.io.bytes_skipped`

Type: object

Type: keyword

Level: Extended

Description: A hash of the Go language imports in a Mach-O file.

Example: 10bddcb4cee42080f76c88d9ff964491

Indexed: true

`process.macho.go_imports`

Type: flattened

Level: Extended

Description: List of imported Go language element names and types.

Indexed: true

`process.macho.go_imports_names_entropy`

Type: long

Level: Extended

Description: Shannon entropy calculation from the list of Go imports.

Indexed: true

`process.macho.go_imports_names_var_entropy`

Type: long

Level: Extended

Description: Variance for Shannon entropy calculation from the list of Go imports.

Indexed: true

Type: long

Level: Extended

Description: Shannon entropy calculation from the list of imported element names and types.

Indexed: true

`process.macho.imports_names_var_entropy`

Type: long

Level: Extended

Description: Variance for Shannon entropy calculation from the list of imported element names and types.

Indexed: true

`process.macho.sections`

Type: nested

Type: keyword

Type: keyword

Level: Extended

Description: CPU type of the ELF file.

Example: Intel

Indexed: true

`process.parent.elf.imports`

Type: flattened

Level: Extended

Description: List of imported element names and types.

Normalization: array

Indexed: true

`process.parent.elf.imports_names_entropy`

Type: long

Level: Extended

Description: Shannon entropy calculation from the list of imported element names and types.

Indexed: true

`process.parent.elf.imports_names_var_entropy`

Type: long

Level: Extended

Description: Variance for Shannon entropy calculation from the list of imported element names and types.

Indexed: true

`process.parent.elf.sections`

Type: nested

`process.parent.elf.segments.sections`

Type: keyword

Level: Extended

Description: ELF object segment sections.

Indexed: true

`process.parent.elf.segments.type`

Type: keyword

Level: Extended

Description: ELF object segment type.

Indexed: true

`process.parent.elf.shared_libraries`

Type: keyword

Level: Extended

Description: List of shared libraries used by this ELF object.

Normalization: array

Indexed: true

Type: keyword

Level: Extended

Description: Unique identifier for the group on the system/platform.

Indexed: true

`process.parent.group.name`

Type: keyword

Level: Extended

Description: Name of the group.

Indexed: true

`process.parent.hash.cdhash`

Type: keyword

Type: flattened

Level: Extended

Description: List of imported Go language element names and types.

Indexed: true

`process.parent.macho.go_imports_names_entropy`

Type: long

Level: Extended

Description: Shannon entropy calculation from the list of Go imports.

Indexed: true

`process.parent.macho.go_imports_names_var_entropy`

Type: long

Level: Extended

Description: Variance for Shannon entropy calculation from the list of Go imports.

Indexed: true

Type: long

Level: Extended

Description: Shannon entropy calculation from the list of imported element names and types.

Indexed: true

`process.parent.macho.imports_names_var_entropy`

Type: long

Level: Extended

Description: Variance for Shannon entropy calculation from the list of imported element names and types.

Indexed: true

`process.parent.macho.sections`

Type: nested

Type: flattened

Level: Extended

Description: List of imported Go language element names and types.

Indexed: true

`process.parent.pe.go_imports_names_entropy`

Type: long

Level: Extended

Description: Shannon entropy calculation from the list of Go imports.

Indexed: true

`process.parent.pe.go_imports_names_var_entropy`

Type: long

Level: Extended

Description: Variance for Shannon entropy calculation from the list of Go imports.

Indexed: true

Type: long

Level: Extended

Description: Shannon entropy calculation from the list of imported element names and types.

Indexed: true

Type: long

Level: Core

Description: Process id.

Example: 4242

Indexed: true

`process.parent.real_group.id`

Type: keyword

Level: Extended

Description: Unique identifier for the group on the system/platform.

Indexed: true

Type: keyword

Level: Extended

Description: Unique identifier for the group on the system/platform.

Indexed: true

Type: keyword

Level: Extended

Description: Unique identifier for the group on the system/platform.

Type: long

Level: Extended

Description: Thread ID.

Example: 4242

Indexed: true

`process.parent.thread.name`

Type: keyword

Level: Extended

Description: Thread name.

Example: thread-0

Indexed: true

`process.parent.title`

Type: keyword

Level: Extended

Description: Process title.

Indexed: true

`process.parent.title.text`

Type: match_only_text

Level: Extended

Description: Process title.

Indexed: true

Type: keyword

Level: Extended

Description: A hash of the Go language imports in a PE file.

Example: 10bddcb4cee42080f76c88d9ff964491

Indexed: true

`process.pe.go_imports`

Type: flattened

Level: Extended

Description: List of imported Go language element names and types.

Indexed: true

`process.pe.go_imports_names_entropy`

Type: long

Level: Extended

Description: Shannon entropy calculation from the list of Go imports.

Indexed: true

`process.pe.go_imports_names_var_entropy`

Type: long

Level: Extended

Description: Variance for Shannon entropy calculation from the list of Go imports.

Indexed: true

Type: long

Level: Extended

Description: Shannon entropy calculation from the list of imported element names and types.

Indexed: true

Type: long

Level: Core

Description: Process id.

Example: 4242

Indexed: true

`process.previous.args`

Type: keyword

Level: Extended

Description: Array of process arguments.

Example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"]

Normalization: array

Indexed: true

`process.previous.args_count`

Type: long

Level: Extended

Description: Length of the process.args array.

Example: 4

Indexed: true

`process.previous.executable`

Type: keyword

Level: Extended

Description: Absolute path to the process executable.

Example: /usr/bin/ssh

Indexed: true

`process.previous.executable.text`

Type: match_only_text

Level: Extended

Description: Absolute path to the process executable.

Example: /usr/bin/ssh

Indexed: true

`process.real_group.id`

Type: keyword

Level: Extended

Description: Unique identifier for the group on the system/platform.

Indexed: true

Type: keyword

Level: Extended

Description: Unique identifier for the group on the system/platform.

Indexed: true

Type: keyword

Type: match_only_text

Level: Extended

Description: Absolute path to the process executable.

Example: /usr/bin/ssh

Indexed: true

`process.session_leader.group.id`

Type: keyword

Level: Extended

Description: Unique identifier for the group on the system/platform.

Indexed: true

Type: long

Level: Core

Description: Process id.

Example: 4242

Indexed: true

`process.session_leader.real_group.id`

Type: keyword

Level: Extended

Description: Unique identifier for the group on the system/platform.

Indexed: true

Type: keyword

Level: Extended

Description: Unique identifier for the group on the system/platform.

Indexed: true

Type: keyword

Level: Extended

Description: Unique identifier for the group on the system/platform.

Indexed: true

`process.session_leader.supplemental_groups.name`

Type: keyword

Level: Extended

Description: Name of the group.

Indexed: true

Type: keyword

Level: Extended

Description: Unique identifier for the group on the system/platform.

Type: long

Level: Extended

Description: Thread ID.

Example: 4242

Indexed: true

`process.thread.name`

Type: keyword

Level: Extended

Description: Thread name.

Example: thread-0

Indexed: true

`process.title`

Type: keyword

Level: Extended

Description: Process title.

Indexed: true

`process.title.text`

Type: match_only_text

Level: Extended

Description: Process title.

Indexed: true

Type: keyword

Level: Extended

Description: The working directory of the process.

Example: /home/alice

Indexed: true

`process.working_directory.text`

Type: match_only_text

Level: Extended

Description: The working directory of the process.

Example: /home/alice

Indexed: true

Package Registry