Class: Process
The Process object describes a running instance of a launched program.
URI: ocsf:Process
classDiagram
class Process
click Process href "../Process/"
ContainerProfile <|-- Process
click ContainerProfile href "../ContainerProfile/"
ProcessEntity <|-- Process
click ProcessEntity href "../ProcessEntity/"
Process <|-- LinuxProcess
click LinuxProcess href "../LinuxProcess/"
Process <|-- MacosProcess
click MacosProcess href "../MacosProcess/"
Process <|-- WindowsProcess
click WindowsProcess href "../WindowsProcess/"
Process : ancestry
Process --> "*" ProcessEntity : ancestry
click ProcessEntity href "../ProcessEntity/"
Process : cmd_line
Process : container
Process --> "0..1 _recommended_" Container : container
click Container href "../Container/"
Process : cpid
Process : created_time
Process : environment_variables
Process --> "*" EnvironmentVariable : environment_variables
click EnvironmentVariable href "../EnvironmentVariable/"
Process : file
Process --> "0..1 _recommended_" File : file
click File href "../File/"
Process : integrity
Process : integrity_id
Process --> "0..1" IntegrityIdEnum : integrity_id
click IntegrityIdEnum href "../IntegrityIdEnum/"
Process : lineage
Process : loaded_modules
Process : name
Process : namespace_pid
Process : parent_process
Process --> "0..1 _recommended_" Process : parent_process
click Process href "../Process/"
Process : path
Process : pid
Process : ptid
Process : sandbox
Process : session
Process --> "0..1" Session : session
click Session href "../Session/"
Process : terminated_time
Process : tid
Process : uid
Process : user
Process --> "0..1 _recommended_" User : user
click User href "../User/"
Process : working_directory
Process : xattributes
Process --> "0..1" Object : xattributes
click Object href "../Object/"
Inheritance
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| ancestry | * ProcessEntity |
An array of Process Entities describing the extended parentage of this proces... | direct |
| environment_variables | * EnvironmentVariable |
Environment variables associated with the process | direct |
| file | 0..1 recommended File |
The process file object | direct |
| integrity | 0..1 String |
The process integrity level, normalized to the caption of the integrity_id | direct |
| integrity_id | 0..1 IntegrityIdEnum |
The normalized identifier of the process integrity level (Windows only) | direct |
| lineage | * FilePathT |
The lineage of the process, represented by a list of paths for each ancestor | direct |
| loaded_modules | * String |
The list of loaded module names | direct |
| parent_process | 0..1 recommended Process |
The parent process of this process object | direct |
| ptid | 0..1 Integer |
The identifier of the process thread associated with the event, as returned b... | direct |
| sandbox | 0..1 String |
The name of the containment jail (i | direct |
| session | 0..1 Session |
The user session under which this process is running | direct |
| terminated_time | 0..1 TimestampT |
The time when the process was terminated | direct |
| tid | 0..1 Integer |
The identifier of the thread associated with the event, as returned by the | direct |
| user | 0..1 recommended User |
The user under which this process is running | direct |
| working_directory | 0..1 String |
The working directory of a process | direct |
| xattributes | 0..1 Object |
An unordered collection of zero or more name/value pairs that represent a | direct |
| container | 0..1 recommended Container |
The information describing an instance of a container | ContainerProfile |
| namespace_pid | 0..1 recommended Integer |
If running under a process namespace (such as in a container), the process | ContainerProfile |
| cmd_line | 0..1 recommended String |
The full command line used to launch an application, service, process, or job | ProcessEntity |
| cpid | 0..1 recommended UuidT |
A unique process identifier that can be assigned deterministically by multipl... | ProcessEntity |
| created_time | 0..1 recommended TimestampT |
The time when the process was created/started | ProcessEntity |
| name | 0..1 recommended String |
The friendly name of the process, for example: Notepad++ |
Entity, ProcessEntity |
| path | 0..1 String |
The process file path | ProcessEntity |
| pid | 0..1 recommended Integer |
The process identifier, as reported by the operating system | ProcessEntity |
| uid | 0..1 recommended String |
A unique identifier for this process assigned by the producer (tool) | Entity, ProcessEntity |
Usages
| used by | used in | type | used |
|---|---|---|---|
| QueryEvidence | process | range | Process |
| StartupItem | process | range | Process |
| Actor | process | range | Process |
| Evidences | process | range | Process |
| Process | parent_process | range | Process |
| ModuleQuery | process | range | Process |
| NetworkConnectionQuery | process | range | Process |
| ProcessQuery | process | range | Process |
| SecurityFinding | process | range | Process |
| Authentication | logon_process | range | Process |
| ProcessRemediationActivity | process | range | Process |
| MemoryActivity | process | range | Process |
| ProcessActivity | process | range | Process |
| LinuxProcess | parent_process | range | Process |
| MacosProcess | parent_process | range | Process |
| WindowsEvidences | process | range | Process |
| WindowsProcess | parent_process | range | Process |
| WindowsQueryEvidence | process | range | Process |
| WindowsStartupItem | process | range | Process |
Rules
| Rule Applied | Preconditions | Postconditions | Elseconditions |
|---|---|---|---|
| any_of | [{'slot_conditions': {'pid': {'required': True}}}, {'slot_conditions': {'uid': {'required': True}}}, {'slot_conditions': {'cpid': {'required': True}}}] |
In Subsets
Aliases
- Process
See Also
Notes
- D3FEND™ Ontology d3f:Process — https://d3fend.mitre.org/dao/artifact/d3f:Process/
Identifier and Mapping Information
Annotations
| property | value |
|---|---|
| ocsf_constraints | {"at_least_one": ["pid", "uid", "cpid"]} |
| observable_id | 25 |
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:Process |
| native | ocsf:Process |
| exact | stix:Process, uco_master:Process |
LinkML Source
Direct
name: Process
annotations:
ocsf_constraints:
tag: ocsf_constraints
value: '{"at_least_one": ["pid", "uid", "cpid"]}'
observable_id:
tag: observable_id
value: 25
description: The Process object describes a running instance of a launched program.
notes:
- 'D3FEND™ Ontology d3f:Process —
https://d3fend.mitre.org/dao/artifact/d3f:Process/'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://d3fend.mitre.org/dao/artifact/d3f:Process/
aliases:
- Process
exact_mappings:
- stix:Process
- uco_master:Process
is_a: ProcessEntity
mixins:
- ContainerProfile
slots:
- ancestry
- environment_variables
- file
- integrity
- integrity_id
- lineage
- loaded_modules
- parent_process
- ptid
- sandbox
- session
- terminated_time
- tid
- user
- working_directory
- xattributes
slot_usage:
environment_variables:
name: environment_variables
description: Environment variables associated with the process.
file:
name: file
description: The process file object.
recommended: true
lineage:
name: lineage
deprecated: Use the <code>ancestry</code> attribute.
parent_process:
name: parent_process
recommended: true
session:
name: session
description: The user session under which this process is running.
terminated_time:
name: terminated_time
description: The time when the process was terminated.
user:
name: user
description: The user under which this process is running.
recommended: true
xattributes:
name: xattributes
description: 'An unordered collection of zero or more name/value pairs that represent
a
process extended attribute.'
rules:
- postconditions:
any_of:
- slot_conditions:
pid:
name: pid
required: true
- slot_conditions:
uid:
name: uid
required: true
- slot_conditions:
cpid:
name: cpid
required: true
description: 'OCSF at_least_one: at least one of [''pid'', ''uid'', ''cpid''] must
be set.'
Induced
name: Process
annotations:
ocsf_constraints:
tag: ocsf_constraints
value: '{"at_least_one": ["pid", "uid", "cpid"]}'
observable_id:
tag: observable_id
value: 25
description: The Process object describes a running instance of a launched program.
notes:
- 'D3FEND™ Ontology d3f:Process —
https://d3fend.mitre.org/dao/artifact/d3f:Process/'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://d3fend.mitre.org/dao/artifact/d3f:Process/
aliases:
- Process
exact_mappings:
- stix:Process
- uco_master:Process
is_a: ProcessEntity
mixins:
- ContainerProfile
slot_usage:
environment_variables:
name: environment_variables
description: Environment variables associated with the process.
file:
name: file
description: The process file object.
recommended: true
lineage:
name: lineage
deprecated: Use the <code>ancestry</code> attribute.
parent_process:
name: parent_process
recommended: true
session:
name: session
description: The user session under which this process is running.
terminated_time:
name: terminated_time
description: The time when the process was terminated.
user:
name: user
description: The user under which this process is running.
recommended: true
xattributes:
name: xattributes
description: 'An unordered collection of zero or more name/value pairs that represent
a
process extended attribute.'
attributes:
ancestry:
name: ancestry
description: 'An array of Process Entities describing the extended parentage of
this process
object. Direct parent information should be expressed through the
<code>parent_process</code> attribute. The first array element is the direct
parent of this process object. Subsequent list elements go up the process
parentage hierarchy. That is, the array is sorted from newest to oldest
process. It is recommended to only populate this field for the top-level
process object.'
notes:
- 'Guidance on Representing Process Parentage —
https://github.com/ocsf/ocsf-docs/blob/main/articles/representing-process-parentage.md'
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://github.com/ocsf/ocsf-docs/blob/main/articles/representing-process-parentage.md
aliases:
- Ancestry
rank: 1000
alias: ancestry
owner: Process
domain_of:
- Process
range: ProcessEntity
multivalued: true
environment_variables:
name: environment_variables
description: Environment variables associated with the process.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Environment Variables
rank: 1000
alias: environment_variables
owner: Process
domain_of:
- Process
range: EnvironmentVariable
multivalued: true
file:
name: file
description: The process file object.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- File
rank: 1000
alias: file
owner: Process
domain_of:
- Osint
- QueryEvidence
- Script
- AffectedCode
- Databucket
- Evidences
- Job
- KernelDriver
- Module
- Process
- FileHosting
- FileQuery
- DataSecurityFinding
- EmailFileActivity
- FtpActivity
- HttpActivity
- NetworkFileActivity
- RdpActivity
- SmbActivity
- SshActivity
- FileRemediationActivity
- EventLogActvity
- FileActivity
range: File
recommended: true
integrity:
name: integrity
description: 'The process integrity level, normalized to the caption of the integrity_id
value. In the case of ''Other'', it is defined by the event source (Windows
only).'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Integrity
rank: 1000
alias: integrity
owner: Process
domain_of:
- Process
range: string
integrity_id:
name: integrity_id
annotations:
sibling:
tag: sibling
value: integrity
description: The normalized identifier of the process integrity level (Windows
only).
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Integrity Level
rank: 1000
alias: integrity_id
owner: Process
domain_of:
- Process
range: IntegrityIdEnum
lineage:
name: lineage
description: 'The lineage of the process, represented by a list of paths for each
ancestor
process. For example: <code>[''/usr/sbin/sshd'', ''/usr/bin/bash'',
''/usr/bin/whoami'']</code>.'
deprecated: Use the <code>ancestry</code> attribute.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Lineage
rank: 1000
alias: lineage
owner: Process
domain_of:
- Process
range: FilePathT
multivalued: true
loaded_modules:
name: loaded_modules
description: The list of loaded module names.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Loaded Modules
rank: 1000
alias: loaded_modules
owner: Process
domain_of:
- Process
range: string
multivalued: true
parent_process:
name: parent_process
description: 'The parent process of this process object. It is recommended to
only populate
this field for the top-level process object, to prevent deep nesting.
Additional ancestry information can be supplied in the <code>ancestry</code>
attribute.'
notes:
- 'Guidance on Representing Process Parentage —
https://github.com/ocsf/ocsf-docs/blob/main/articles/representing-process-parentage.md'
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://github.com/ocsf/ocsf-docs/blob/main/articles/representing-process-parentage.md
aliases:
- Parent Process
rank: 1000
alias: parent_process
owner: Process
domain_of:
- Process
range: Process
recommended: true
ptid:
name: ptid
description: 'The identifier of the process thread associated with the event,
as returned by
the operating system.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Process Thread ID
rank: 1000
alias: ptid
owner: Process
domain_of:
- Process
range: integer
sandbox:
name: sandbox
description: 'The name of the containment jail (i.e., sandbox). For example, hardened_ps,
high_security_ps, oracle_ps, netsvcs_ps, or default_ps.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Sandbox
rank: 1000
alias: sandbox
owner: Process
domain_of:
- Process
range: string
session:
name: session
description: The user session under which this process is running.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Session
rank: 1000
alias: session
owner: Process
domain_of:
- QueryEvidence
- Actor
- NetworkConnectionInfo
- Process
- SessionQuery
- Authentication
- AuthorizeSession
- TunnelActivity
range: Session
terminated_time:
name: terminated_time
description: The time when the process was terminated.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Terminated Time
rank: 1000
alias: terminated_time
owner: Process
domain_of:
- Process
range: TimestampT
tid:
name: tid
description: 'The identifier of the thread associated with the event, as returned
by the
operating system.'
deprecated: '<code>tid</code> is deprecated in favor of <code>ptid</code>. <code>ptid</code>
has type <code>long_t</code> which can accommodate the thread identifiers
returned by all platforms (e.g. 64-bit on MacOS). (since 1.6.0)'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Thread ID
rank: 1000
alias: tid
owner: Process
domain_of:
- Process
range: integer
user:
name: user
description: The user under which this process is running.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- User
rank: 1000
alias: user
owner: Process
domain_of:
- QueryEvidence
- Actor
- Evidences
- Job
- ManagedEntity
- Process
- UserInventory
- UserQuery
- IamAnalysisFinding
- AccountChange
- Authentication
- AuthorizeSession
- GroupManagement
- UserAccess
- RdpActivity
- TunnelActivity
range: User
recommended: true
working_directory:
name: working_directory
description: The working directory of a process.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Working Directory
rank: 1000
alias: working_directory
owner: Process
domain_of:
- Process
range: string
xattributes:
name: xattributes
description: 'An unordered collection of zero or more name/value pairs that represent
a
process extended attribute.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Extended Attributes
rank: 1000
alias: xattributes
owner: Process
domain_of:
- File
- Process
range: Object
container:
name: container
annotations:
group:
tag: group
value: context
description: 'The information describing an instance of a container. A container
is a
prepackaged, portable system image that runs isolated on an existing system
using a container runtime like containerd.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Container
rank: 1000
alias: container
owner: Process
domain_of:
- Evidences
- ContainerProfile
- CloudResourcesInventoryInfo
range: Container
recommended: true
namespace_pid:
name: namespace_pid
annotations:
group:
tag: group
value: context
description: 'If running under a process namespace (such as in a container), the
process
identifier within that process namespace.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Namespace PID
rank: 1000
alias: namespace_pid
owner: Process
domain_of:
- ContainerProfile
range: integer
recommended: true
cmd_line:
name: cmd_line
annotations:
observable_id:
tag: observable_id
value: 13
description: 'The full command line used to launch an application, service, process,
or job.
For example: <code>ssh user@10.0.0.10</code>. If the command line is
unavailable or missing, the empty string <code>''''</code> is to be used.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Command Line
rank: 1000
alias: cmd_line
owner: Process
domain_of:
- Job
- ProcessEntity
- WinService
range: string
recommended: true
cpid:
name: cpid
annotations:
ocsf_source:
tag: ocsf_source
value: cpid
description: 'A unique process identifier that can be assigned deterministically
by multiple
system data producers.'
notes:
- 'OCSF Common Process Identifier (CPID) Specification —
https://github.com/ocsf/common-process-id'
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://github.com/ocsf/common-process-id
aliases:
- Common Process Identifier
rank: 1000
alias: cpid
owner: Process
domain_of:
- ProcessEntity
range: UuidT
recommended: true
created_time:
name: created_time
description: The time when the process was created/started.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Created Time
rank: 1000
alias: created_time
owner: Process
domain_of:
- Osint
- RelatedEvent
- Sbom
- Scim
- Session
- Sso
- Token
- Whois
- Resource
- Advisory
- AuthenticationToken
- Certificate
- Cve
- Database
- Databucket
- DigitalSignature
- Enrichment
- Epss
- File
- FindingObject
- FindingInfo
- Job
- KbArticle
- LdapPerson
- ProcessEntity
- Table
- Device
range: TimestampT
recommended: true
name:
name: name
description: 'The friendly name of the process, for example: <code>Notepad++</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Name
rank: 1000
alias: name
owner: Process
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- Parameter
- PrivilegeInfo
- San
- Scim
- Script
- ServicePrivilegeAnalysis
- SoftwareComponent
- Sso
- StartupItem
- ThreatActor
- Token
- Entity
- Resource
- Account
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- AutonomousSystem
- Campaign
- Check
- CisBenchmark
- CisBenchmarkResult
- CisControl
- ClassifierDetails
- Container
- D3fTactic
- D3fTechnique
- Database
- Databucket
- DomainContact
- Edge
- Endpoint
- Enrichment
- EnvironmentVariable
- Evidences
- Extension
- Feature
- File
- Graph
- Group
- HttpCookie
- HttpHeader
- Idp
- Image
- Job
- Kernel
- KeyValueObject
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metric
- Mitigation
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- ResourceDetails
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- FtpActivity
- RegValue
- WinResource
- WinService
- PrefetchQuery
range: string
recommended: true
path:
name: path
description: The process file path.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Path
rank: 1000
alias: path
owner: Process
domain_of:
- Url
- AffectedPackage
- File
- HttpCookie
- Image
- Kernel
- Malware
- ProcessEntity
- Product
- RegKey
- RegValue
range: string
pid:
name: pid
annotations:
observable_id:
tag: observable_id
value: 15
description: 'The process identifier, as reported by the operating system. Process
ID (PID)
is a number used by the operating system to uniquely identify an active
process.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Process ID
rank: 1000
alias: pid
owner: Process
domain_of:
- ProcessEntity
range: integer
recommended: true
uid:
name: uid
description: 'A unique identifier for this process assigned by the producer (tool).
Facilitates correlation of a process event with other events for that process.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Unique ID
rank: 1000
alias: uid
owner: Process
domain_of:
- Osint
- Package
- ProgrammaticCredential
- RelatedEvent
- Request
- Sbom
- Scim
- Script
- Session
- Span
- Sso
- Ticket
- Token
- Trace
- Entity
- Resource
- Account
- Advisory
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- Certificate
- Check
- ClassifierDetails
- Container
- Cve
- Cwe
- D3fTactic
- D3fTechnique
- DataClassification
- Database
- Databucket
- DomainContact
- Edge
- Email
- Endpoint
- Evidences
- Extension
- Feature
- File
- FindingObject
- FindingInfo
- Graph
- Group
- HttpRequest
- Idp
- Image
- KbArticle
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metadata
- Mitigation
- NetworkConnectionInfo
- NetworkEndpoint
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- WinResource
range: string
recommended: true
rules:
- postconditions:
any_of:
- slot_conditions:
pid:
name: pid
required: true
- slot_conditions:
uid:
name: uid
required: true
- slot_conditions:
cpid:
name: cpid
required: true
description: 'OCSF at_least_one: at least one of [''pid'', ''uid'', ''cpid''] must
be set.'