Class: Process

_The Process Object represents common properties of an instance of a computer program as executed on an operating system. _

URI: attack:Process

 classDiagram
    class Process
    click Process href "../Process/"
      CyberObservableObject <|-- Process
        click CyberObservableObject href "../CyberObservableObject/"

      Process : child_refs

      Process : command_line

      Process : created_time

      Process : creator_user_ref

      Process : cwd

      Process : defanged

      Process : description

      Process : environment_variables

      Process : extensions

      Process : granular_markings





        Process --> "*" GranularMarking : granular_markings
        click GranularMarking href "../GranularMarking/"



      Process : id

      Process : image_ref

      Process : is_hidden

      Process : name

      Process : object_marking_refs

      Process : opened_connection_refs

      Process : parent_ref

      Process : pid

      Process : spec_version





        Process --> "0..1" SpecVersionEnum : spec_version
        click SpecVersionEnum href "../SpecVersionEnum/"



      Process : type

Inheritance

StixEntity
- CommonSchemaComponent
  - CyberObservableCore
    - CyberObservableObject
      - Process

Slots

Name	Cardinality and Range	Description	Inheritance
is_hidden	0..1 Boolean	Specifies whether the process is hidden	direct
pid	0..1 Integer	Specifies the Process ID, or PID, of the process	direct
created_time	0..1 Datetime	Process creation time	direct
cwd	0..1 String	Current working directory	direct
command_line	0..1 String	Process command line	direct
environment_variables	0..1 String	Environment variable payload	direct
opened_connection_refs	* StixIdentifier	Referenced opened network connections	direct
creator_user_ref	0..1 StixIdentifier	Creating user reference	direct
image_ref	0..1 StixIdentifier	Process image file reference	direct
parent_ref	0..1 StixIdentifier	Parent process reference	direct
child_refs	* StixIdentifier	Child process references	direct
type	1 StixTypeName	STIX object type	StixEntity, CyberObservableCore
spec_version	0..1 SpecVersionEnum	STIX specification version	CyberObservableCore
id	1 StixIdentifier	STIX object identifier	StixEntity, CyberObservableCore
object_marking_refs	* StixIdentifier	Marking definition references applied to this object	CyberObservableCore
granular_markings	* GranularMarking	Granular markings that apply to selected content	CyberObservableCore
defanged	0..1 Boolean	Defines whether or not the data contained within the object has been defanged	CyberObservableCore
extensions	* String	Open-ended extension payloads	CyberObservableCore
name	0..1 String	Human-readable name	StixEntity
description	0..1 String	Human-readable description	StixEntity

In Subsets

Observables

Comments

jsonschema_rule: anyOf validator_hint: process-any-of-field-presence jsonschema_source: https://github.com/oasis-open/cti-stix2-json-schemas/tree/master/schemas/observables/process.json

Notes

JSON Schema uses anyOf presence constraints across many optional process fields.

Identifier and Mapping Information

Schema Source

from schema: https://w3id.org/lmodel/attack

Mappings

Mapping Type	Mapped Value
self	attack:Process
native	attack:Process
exact	unified_cyber_ontology:Process

LinkML Source

Direct

name: Process
description: 'The Process Object represents common properties of an instance of a
  computer program as executed on an operating system. '
notes:
- JSON Schema uses anyOf presence constraints across many optional process fields.
comments:
- 'jsonschema_rule: anyOf validator_hint: process-any-of-field-presence jsonschema_source:
  https://github.com/oasis-open/cti-stix2-json-schemas/tree/master/schemas/observables/process.json'
in_subset:
- observables
from_schema: https://w3id.org/lmodel/attack
exact_mappings:
- unified_cyber_ontology:Process
is_a: CyberObservableObject
slots:
- is_hidden
- pid
- created_time
- cwd
- command_line
- environment_variables
- opened_connection_refs
- creator_user_ref
- image_ref
- parent_ref
- child_refs
slot_usage:
  id:
    name: id
    pattern: ^process--[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$
  type:
    name: type
    pattern: ^process$
  opened_connection_refs:
    name: opened_connection_refs
    comments:
    - 'jsonschema_minItems: "1"'
  child_refs:
    name: child_refs
    comments:
    - 'jsonschema_minItems: "1"'

Induced

name: Process
description: 'The Process Object represents common properties of an instance of a
  computer program as executed on an operating system. '
notes:
- JSON Schema uses anyOf presence constraints across many optional process fields.
comments:
- 'jsonschema_rule: anyOf validator_hint: process-any-of-field-presence jsonschema_source:
  https://github.com/oasis-open/cti-stix2-json-schemas/tree/master/schemas/observables/process.json'
in_subset:
- observables
from_schema: https://w3id.org/lmodel/attack
exact_mappings:
- unified_cyber_ontology:Process
is_a: CyberObservableObject
slot_usage:
  id:
    name: id
    pattern: ^process--[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$
  type:
    name: type
    pattern: ^process$
  opened_connection_refs:
    name: opened_connection_refs
    comments:
    - 'jsonschema_minItems: "1"'
  child_refs:
    name: child_refs
    comments:
    - 'jsonschema_minItems: "1"'
attributes:
  is_hidden:
    name: is_hidden
    description: Specifies whether the process is hidden.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: is_hidden
    owner: Process
    domain_of:
    - Process
    range: boolean
  pid:
    name: pid
    description: Specifies the Process ID, or PID, of the process.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: pid
    owner: Process
    domain_of:
    - Process
    range: integer
  created_time:
    name: created_time
    description: Process creation time.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: created_time
    owner: Process
    domain_of:
    - Process
    range: datetime
  cwd:
    name: cwd
    description: Current working directory.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: cwd
    owner: Process
    domain_of:
    - Process
    range: string
  command_line:
    name: command_line
    description: Process command line.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: command_line
    owner: Process
    domain_of:
    - Process
    range: string
  environment_variables:
    name: environment_variables
    description: Environment variable payload.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: environment_variables
    owner: Process
    domain_of:
    - Process
    range: string
  opened_connection_refs:
    name: opened_connection_refs
    description: Referenced opened network connections.
    comments:
    - 'jsonschema_minItems: "1"'
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: opened_connection_refs
    owner: Process
    domain_of:
    - Process
    range: stix_identifier
    multivalued: true
  creator_user_ref:
    name: creator_user_ref
    description: Creating user reference.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: creator_user_ref
    owner: Process
    domain_of:
    - Process
    - WindowsRegistryKey
    range: stix_identifier
  image_ref:
    name: image_ref
    description: Process image file reference.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: image_ref
    owner: Process
    domain_of:
    - Process
    range: stix_identifier
  parent_ref:
    name: parent_ref
    description: Parent process reference.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: parent_ref
    owner: Process
    domain_of:
    - Process
    range: stix_identifier
  child_refs:
    name: child_refs
    description: Child process references.
    comments:
    - 'jsonschema_minItems: "1"'
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: child_refs
    owner: Process
    domain_of:
    - Process
    range: stix_identifier
    multivalued: true
  type:
    name: type
    description: STIX object type.
    from_schema: https://w3id.org/lmodel/attack
    related_mappings:
    - unified_cyber_ontology:state
    rank: 1000
    alias: type
    owner: Process
    domain_of:
    - StixEntity
    - Bundle
    - Core
    - CyberObservableCore
    - ExtensionDefinition
    - LanguageContent
    - MarkingDefinition
    - File
    range: stix_type_name
    required: true
    pattern: ^process$
  spec_version:
    name: spec_version
    description: STIX specification version.
    from_schema: https://w3id.org/lmodel/attack
    close_mappings:
    - unified_cyber_ontology:specVersion
    rank: 1000
    alias: spec_version
    owner: Process
    domain_of:
    - Core
    - CyberObservableCore
    - MarkingDefinition
    range: SpecVersionEnum
  id:
    name: id
    description: STIX object identifier.
    from_schema: https://w3id.org/lmodel/attack
    related_mappings:
    - unified_cyber_ontology:externalReference
    rank: 1000
    alias: id
    owner: Process
    domain_of:
    - StixEntity
    - Bundle
    - Core
    - CyberObservableCore
    - ExtensionDefinition
    - LanguageContent
    - MarkingDefinition
    - File
    range: stix_identifier
    required: true
    pattern: ^process--[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$
  object_marking_refs:
    name: object_marking_refs
    description: Marking definition references applied to this object.
    comments:
    - 'jsonschema_minItems: "1"'
    from_schema: https://w3id.org/lmodel/attack
    close_mappings:
    - unified_cyber_ontology:objectMarking
    rank: 1000
    alias: object_marking_refs
    owner: Process
    domain_of:
    - Core
    - CyberObservableCore
    - MarkingDefinition
    range: stix_identifier
    multivalued: true
  granular_markings:
    name: granular_markings
    description: Granular markings that apply to selected content.
    comments:
    - 'jsonschema_minItems: "1"'
    from_schema: https://w3id.org/lmodel/attack
    narrow_mappings:
    - unified_cyber_ontology:objectMarking
    rank: 1000
    alias: granular_markings
    owner: Process
    domain_of:
    - Core
    - CyberObservableCore
    - MarkingDefinition
    range: GranularMarking
    multivalued: true
  defanged:
    name: defanged
    description: Defines whether or not the data contained within the object has been
      defanged.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: defanged
    owner: Process
    domain_of:
    - CyberObservableCore
    range: boolean
  extensions:
    name: extensions
    description: Open-ended extension payloads.
    notes:
    - JSON Schema uses patternProperties for extension keys; exact key validation
      is delegated to validator tooling.
    comments:
    - 'jsonschema_rule: patternProperties validator_hint: validate-extension-keys-and-values'
    from_schema: https://w3id.org/lmodel/attack
    related_mappings:
    - unified_cyber_ontology:hasFacet
    rank: 1000
    alias: extensions
    owner: Process
    domain_of:
    - Core
    - CyberObservableCore
    - MarkingDefinition
    - File
    range: string
    multivalued: true
  name:
    name: name
    description: Human-readable name.
    from_schema: https://w3id.org/lmodel/attack
    exact_mappings:
    - unified_cyber_ontology:name
    rank: 1000
    alias: name
    owner: Process
    domain_of:
    - RelatedAsset
    - StixEntity
    - ExtensionDefinition
    - MarkingDefinition
    - AutonomousSystem
    - File
    range: string
  description:
    name: description
    description: Human-readable description.
    from_schema: https://w3id.org/lmodel/attack
    close_mappings:
    - unified_cyber_ontology:description
    rank: 1000
    alias: description
    owner: Process
    domain_of:
    - RelatedAsset
    - MutableElement
    - StixEntity
    - ExtensionDefinition
    - ExternalReference
    range: string