Class: MacosProcess
Extends the process object to add macOS specific fields
URI: ocsf:MacosProcess
classDiagram
class MacosProcess
click MacosProcess href "../MacosProcess/"
MacosUsersProfile <|-- MacosProcess
click MacosUsersProfile href "../MacosUsersProfile/"
Process <|-- MacosProcess
click Process href "../Process/"
MacosProcess : ancestry
MacosProcess --> "*" ProcessEntity : ancestry
click ProcessEntity href "../ProcessEntity/"
MacosProcess : cmd_line
MacosProcess : container
MacosProcess --> "0..1 _recommended_" Container : container
click Container href "../Container/"
MacosProcess : cpid
MacosProcess : created_time
MacosProcess : egid
MacosProcess : environment_variables
MacosProcess --> "*" EnvironmentVariable : environment_variables
click EnvironmentVariable href "../EnvironmentVariable/"
MacosProcess : euid
MacosProcess : file
MacosProcess --> "0..1 _recommended_" File : file
click File href "../File/"
MacosProcess : integrity
MacosProcess : integrity_id
MacosProcess --> "0..1" IntegrityIdEnum : integrity_id
click IntegrityIdEnum href "../IntegrityIdEnum/"
MacosProcess : lineage
MacosProcess : loaded_modules
MacosProcess : name
MacosProcess : namespace_pid
MacosProcess : parent_process
MacosProcess --> "0..1 _recommended_" Process : parent_process
click Process href "../Process/"
MacosProcess : path
MacosProcess : pid
MacosProcess : ptid
MacosProcess : sandbox
MacosProcess : session
MacosProcess --> "0..1" Session : session
click Session href "../Session/"
MacosProcess : terminated_time
MacosProcess : tid
MacosProcess : uid
MacosProcess : user
MacosProcess --> "0..1 _recommended_" User : user
click User href "../User/"
MacosProcess : working_directory
MacosProcess : xattributes
MacosProcess --> "0..1" Object : xattributes
click Object href "../Object/"
Inheritance
- OcsfObject
- Object
- Entity
- ProcessEntity
- Process [ ContainerProfile]
- MacosProcess [ MacosUsersProfile]
- Process [ ContainerProfile]
- ProcessEntity
- Entity
- Object
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| egid | 0..1 Integer |
The effective group under which this process is running | MacosUsersProfile |
| euid | 0..1 Integer |
The effective user under which this process is running | MacosUsersProfile |
| ancestry | * ProcessEntity |
An array of Process Entities describing the extended parentage of this proces... | Process |
| environment_variables | * EnvironmentVariable |
Environment variables associated with the process | Process |
| file | 0..1 recommended File |
The process file object | Process |
| integrity | 0..1 String |
The process integrity level, normalized to the caption of the integrity_id | Process |
| integrity_id | 0..1 IntegrityIdEnum |
The normalized identifier of the process integrity level (Windows only) | Process |
| lineage | * FilePathT |
The lineage of the process, represented by a list of paths for each ancestor | Process |
| loaded_modules | * String |
The list of loaded module names | Process |
| parent_process | 0..1 recommended Process |
The parent process of this process object | Process |
| ptid | 0..1 Integer |
The identifier of the process thread associated with the event, as returned b... | Process |
| sandbox | 0..1 String |
The name of the containment jail (i | Process |
| session | 0..1 Session |
The user session under which this process is running | Process |
| terminated_time | 0..1 TimestampT |
The time when the process was terminated | Process |
| tid | 0..1 Integer |
The identifier of the thread associated with the event, as returned by the | Process |
| user | 0..1 recommended User |
The user under which this process is running | Process |
| working_directory | 0..1 String |
The working directory of a process | Process |
| xattributes | 0..1 Object |
An unordered collection of zero or more name/value pairs that represent a | Process |
| container | 0..1 recommended Container |
The information describing an instance of a container | ContainerProfile |
| namespace_pid | 0..1 recommended Integer |
If running under a process namespace (such as in a container), the process | ContainerProfile |
| cmd_line | 0..1 recommended String |
The full command line used to launch an application, service, process, or job | ProcessEntity |
| cpid | 0..1 recommended UuidT |
A unique process identifier that can be assigned deterministically by multipl... | ProcessEntity |
| created_time | 0..1 recommended TimestampT |
The time when the process was created/started | ProcessEntity |
| name | 0..1 recommended String |
The friendly name of the process, for example: Notepad++ |
Entity, ProcessEntity |
| path | 0..1 String |
The process file path | ProcessEntity |
| pid | 0..1 recommended Integer |
The process identifier, as reported by the operating system | ProcessEntity |
| uid | 0..1 recommended String |
A unique identifier for this process assigned by the producer (tool) | Entity, ProcessEntity |
In Subsets
Aliases
- macOS Process
Identifier and Mapping Information
Annotations
| property | value |
|---|---|
| ocsf_extension | macos |
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:MacosProcess |
| native | ocsf:MacosProcess |
| close | uco_master:UNIXProcess |
LinkML Source
Direct
name: MacosProcess
annotations:
ocsf_extension:
tag: ocsf_extension
value: macos
description: Extends the process object to add macOS specific fields
in_subset:
- macos_extension_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- macOS Process
close_mappings:
- uco_master:UNIXProcess
is_a: Process
mixins:
- MacosUsersProfile
Induced
name: MacosProcess
annotations:
ocsf_extension:
tag: ocsf_extension
value: macos
description: Extends the process object to add macOS specific fields
in_subset:
- macos_extension_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- macOS Process
close_mappings:
- uco_master:UNIXProcess
is_a: Process
mixins:
- MacosUsersProfile
attributes:
egid:
name: egid
description: The effective group under which this process is running.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Effective Group ID
rank: 1000
alias: egid
owner: MacosProcess
domain_of:
- LinuxUsersProfile
- MacosUsersProfile
range: integer
euid:
name: euid
description: The effective user under which this process is running.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Effective User ID
rank: 1000
alias: euid
owner: MacosProcess
domain_of:
- LinuxUsersProfile
- MacosUsersProfile
range: integer
ancestry:
name: ancestry
description: 'An array of Process Entities describing the extended parentage of
this process
object. Direct parent information should be expressed through the
<code>parent_process</code> attribute. The first array element is the direct
parent of this process object. Subsequent list elements go up the process
parentage hierarchy. That is, the array is sorted from newest to oldest
process. It is recommended to only populate this field for the top-level
process object.'
notes:
- 'Guidance on Representing Process Parentage —
https://github.com/ocsf/ocsf-docs/blob/main/articles/representing-process-parentage.md'
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://github.com/ocsf/ocsf-docs/blob/main/articles/representing-process-parentage.md
aliases:
- Ancestry
rank: 1000
alias: ancestry
owner: MacosProcess
domain_of:
- Process
range: ProcessEntity
multivalued: true
environment_variables:
name: environment_variables
description: Environment variables associated with the process.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Environment Variables
rank: 1000
alias: environment_variables
owner: MacosProcess
domain_of:
- Process
range: EnvironmentVariable
multivalued: true
file:
name: file
description: The process file object.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- File
rank: 1000
alias: file
owner: MacosProcess
domain_of:
- Osint
- QueryEvidence
- Script
- AffectedCode
- Databucket
- Evidences
- Job
- KernelDriver
- Module
- Process
- FileHosting
- FileQuery
- DataSecurityFinding
- EmailFileActivity
- FtpActivity
- HttpActivity
- NetworkFileActivity
- RdpActivity
- SmbActivity
- SshActivity
- FileRemediationActivity
- EventLogActvity
- FileActivity
range: File
recommended: true
integrity:
name: integrity
description: 'The process integrity level, normalized to the caption of the integrity_id
value. In the case of ''Other'', it is defined by the event source (Windows
only).'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Integrity
rank: 1000
alias: integrity
owner: MacosProcess
domain_of:
- Process
range: string
integrity_id:
name: integrity_id
annotations:
sibling:
tag: sibling
value: integrity
description: The normalized identifier of the process integrity level (Windows
only).
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Integrity Level
rank: 1000
alias: integrity_id
owner: MacosProcess
domain_of:
- Process
range: IntegrityIdEnum
lineage:
name: lineage
description: 'The lineage of the process, represented by a list of paths for each
ancestor
process. For example: <code>[''/usr/sbin/sshd'', ''/usr/bin/bash'',
''/usr/bin/whoami'']</code>.'
deprecated: Use the <code>ancestry</code> attribute.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Lineage
rank: 1000
alias: lineage
owner: MacosProcess
domain_of:
- Process
range: FilePathT
multivalued: true
loaded_modules:
name: loaded_modules
description: The list of loaded module names.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Loaded Modules
rank: 1000
alias: loaded_modules
owner: MacosProcess
domain_of:
- Process
range: string
multivalued: true
parent_process:
name: parent_process
description: 'The parent process of this process object. It is recommended to
only populate
this field for the top-level process object, to prevent deep nesting.
Additional ancestry information can be supplied in the <code>ancestry</code>
attribute.'
notes:
- 'Guidance on Representing Process Parentage —
https://github.com/ocsf/ocsf-docs/blob/main/articles/representing-process-parentage.md'
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://github.com/ocsf/ocsf-docs/blob/main/articles/representing-process-parentage.md
aliases:
- Parent Process
rank: 1000
alias: parent_process
owner: MacosProcess
domain_of:
- Process
range: Process
recommended: true
ptid:
name: ptid
description: 'The identifier of the process thread associated with the event,
as returned by
the operating system.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Process Thread ID
rank: 1000
alias: ptid
owner: MacosProcess
domain_of:
- Process
range: integer
sandbox:
name: sandbox
description: 'The name of the containment jail (i.e., sandbox). For example, hardened_ps,
high_security_ps, oracle_ps, netsvcs_ps, or default_ps.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Sandbox
rank: 1000
alias: sandbox
owner: MacosProcess
domain_of:
- Process
range: string
session:
name: session
description: The user session under which this process is running.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Session
rank: 1000
alias: session
owner: MacosProcess
domain_of:
- QueryEvidence
- Actor
- NetworkConnectionInfo
- Process
- SessionQuery
- Authentication
- AuthorizeSession
- TunnelActivity
range: Session
terminated_time:
name: terminated_time
description: The time when the process was terminated.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Terminated Time
rank: 1000
alias: terminated_time
owner: MacosProcess
domain_of:
- Process
range: TimestampT
tid:
name: tid
description: 'The identifier of the thread associated with the event, as returned
by the
operating system.'
deprecated: '<code>tid</code> is deprecated in favor of <code>ptid</code>. <code>ptid</code>
has type <code>long_t</code> which can accommodate the thread identifiers
returned by all platforms (e.g. 64-bit on MacOS). (since 1.6.0)'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Thread ID
rank: 1000
alias: tid
owner: MacosProcess
domain_of:
- Process
range: integer
user:
name: user
description: The user under which this process is running.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- User
rank: 1000
alias: user
owner: MacosProcess
domain_of:
- QueryEvidence
- Actor
- Evidences
- Job
- ManagedEntity
- Process
- UserInventory
- UserQuery
- IamAnalysisFinding
- AccountChange
- Authentication
- AuthorizeSession
- GroupManagement
- UserAccess
- RdpActivity
- TunnelActivity
range: User
recommended: true
working_directory:
name: working_directory
description: The working directory of a process.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Working Directory
rank: 1000
alias: working_directory
owner: MacosProcess
domain_of:
- Process
range: string
xattributes:
name: xattributes
description: 'An unordered collection of zero or more name/value pairs that represent
a
process extended attribute.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Extended Attributes
rank: 1000
alias: xattributes
owner: MacosProcess
domain_of:
- File
- Process
range: Object
container:
name: container
annotations:
group:
tag: group
value: context
description: 'The information describing an instance of a container. A container
is a
prepackaged, portable system image that runs isolated on an existing system
using a container runtime like containerd.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Container
rank: 1000
alias: container
owner: MacosProcess
domain_of:
- Evidences
- ContainerProfile
- CloudResourcesInventoryInfo
range: Container
recommended: true
namespace_pid:
name: namespace_pid
annotations:
group:
tag: group
value: context
description: 'If running under a process namespace (such as in a container), the
process
identifier within that process namespace.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Namespace PID
rank: 1000
alias: namespace_pid
owner: MacosProcess
domain_of:
- ContainerProfile
range: integer
recommended: true
cmd_line:
name: cmd_line
annotations:
observable_id:
tag: observable_id
value: 13
description: 'The full command line used to launch an application, service, process,
or job.
For example: <code>ssh user@10.0.0.10</code>. If the command line is
unavailable or missing, the empty string <code>''''</code> is to be used.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Command Line
rank: 1000
alias: cmd_line
owner: MacosProcess
domain_of:
- Job
- ProcessEntity
- WinService
range: string
recommended: true
cpid:
name: cpid
annotations:
ocsf_source:
tag: ocsf_source
value: cpid
description: 'A unique process identifier that can be assigned deterministically
by multiple
system data producers.'
notes:
- 'OCSF Common Process Identifier (CPID) Specification —
https://github.com/ocsf/common-process-id'
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://github.com/ocsf/common-process-id
aliases:
- Common Process Identifier
rank: 1000
alias: cpid
owner: MacosProcess
domain_of:
- ProcessEntity
range: UuidT
recommended: true
created_time:
name: created_time
description: The time when the process was created/started.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Created Time
rank: 1000
alias: created_time
owner: MacosProcess
domain_of:
- Osint
- RelatedEvent
- Sbom
- Scim
- Session
- Sso
- Token
- Whois
- Resource
- Advisory
- AuthenticationToken
- Certificate
- Cve
- Database
- Databucket
- DigitalSignature
- Enrichment
- Epss
- File
- FindingObject
- FindingInfo
- Job
- KbArticle
- LdapPerson
- ProcessEntity
- Table
- Device
range: TimestampT
recommended: true
name:
name: name
description: 'The friendly name of the process, for example: <code>Notepad++</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Name
rank: 1000
alias: name
owner: MacosProcess
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- Parameter
- PrivilegeInfo
- San
- Scim
- Script
- ServicePrivilegeAnalysis
- SoftwareComponent
- Sso
- StartupItem
- ThreatActor
- Token
- Entity
- Resource
- Account
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- AutonomousSystem
- Campaign
- Check
- CisBenchmark
- CisBenchmarkResult
- CisControl
- ClassifierDetails
- Container
- D3fTactic
- D3fTechnique
- Database
- Databucket
- DomainContact
- Edge
- Endpoint
- Enrichment
- EnvironmentVariable
- Evidences
- Extension
- Feature
- File
- Graph
- Group
- HttpCookie
- HttpHeader
- Idp
- Image
- Job
- Kernel
- KeyValueObject
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metric
- Mitigation
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- ResourceDetails
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- FtpActivity
- RegValue
- WinResource
- WinService
- PrefetchQuery
range: string
recommended: true
path:
name: path
description: The process file path.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Path
rank: 1000
alias: path
owner: MacosProcess
domain_of:
- Url
- AffectedPackage
- File
- HttpCookie
- Image
- Kernel
- Malware
- ProcessEntity
- Product
- RegKey
- RegValue
range: string
pid:
name: pid
annotations:
observable_id:
tag: observable_id
value: 15
description: 'The process identifier, as reported by the operating system. Process
ID (PID)
is a number used by the operating system to uniquely identify an active
process.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Process ID
rank: 1000
alias: pid
owner: MacosProcess
domain_of:
- ProcessEntity
range: integer
recommended: true
uid:
name: uid
description: 'A unique identifier for this process assigned by the producer (tool).
Facilitates correlation of a process event with other events for that process.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Unique ID
rank: 1000
alias: uid
owner: MacosProcess
domain_of:
- Osint
- Package
- ProgrammaticCredential
- RelatedEvent
- Request
- Sbom
- Scim
- Script
- Session
- Span
- Sso
- Ticket
- Token
- Trace
- Entity
- Resource
- Account
- Advisory
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- Certificate
- Check
- ClassifierDetails
- Container
- Cve
- Cwe
- D3fTactic
- D3fTechnique
- DataClassification
- Database
- Databucket
- DomainContact
- Edge
- Email
- Endpoint
- Evidences
- Extension
- Feature
- File
- FindingObject
- FindingInfo
- Graph
- Group
- HttpRequest
- Idp
- Image
- KbArticle
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metadata
- Mitigation
- NetworkConnectionInfo
- NetworkEndpoint
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- WinResource
range: string
recommended: true