Enum: ProcessActivityActivityIdEnum
ProcessActivity activity_id values.
URI: ocsf:ProcessActivityActivityIdEnum
Permissible Values
| Value | Meaning | Description |
|---|---|---|
| LAUNCH | None | A request by the actor to launch another process |
| TERMINATE | None | A request by the actor to terminate a process |
| OPEN | None | A request by the actor to obtain a handle or descriptor to a process with the |
| INJECT | None | A request by the actor to execute code within the context of a process |
| SET_USER_ID | None | A request by the actor to change its user identity by invoking the |
| UNKNOWN | None | The event activity is unknown |
| OTHER | None | The event activity is not mapped |
Slots
| Name | Description |
|---|---|
| activity_id |
Identifier and Mapping Information
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
LinkML Source
name: ProcessActivityActivityIdEnum
description: ProcessActivity activity_id values.
from_schema: https://w3id.org/lmodel/ocsf
rank: 1000
permissible_values:
LAUNCH:
text: LAUNCH
description: 'A request by the actor to launch another process. Refer to the
<code>launch_type_id</code> attribute for details of the specific launch type.'
annotations:
ocsf_uid:
tag: ocsf_uid
value: '1'
caption:
tag: caption
value: Launch
TERMINATE:
text: TERMINATE
description: 'A request by the actor to terminate a process. This activity is
most commonly
reflexive, this being the case when a process exits at its own initiation. Note
too that Windows security products cannot always identify the actor in the case
of inter-process termination. In this case, <code>actor.process</code> and
<code>process</code> refer to the exiting process, i.e. indistinguishable from
the reflexive case.'
annotations:
ocsf_uid:
tag: ocsf_uid
value: '2'
caption:
tag: caption
value: Terminate
OPEN:
text: OPEN
description: 'A request by the actor to obtain a handle or descriptor to a process
with the
aim of performing further actions upon that process. The target is usually a
different process but this activity can also be reflexive.'
annotations:
ocsf_uid:
tag: ocsf_uid
value: '3'
caption:
tag: caption
value: Open
INJECT:
text: INJECT
description: 'A request by the actor to execute code within the context of a process.
The
target is usually a different process but this activity can also be reflexive.
Refer to the <code>injection_type_id</code> attribute for details of the
specific injection type.'
annotations:
ocsf_uid:
tag: ocsf_uid
value: '4'
caption:
tag: caption
value: Inject
SET_USER_ID:
text: SET_USER_ID
description: 'A request by the actor to change its user identity by invoking the
<code>setuid()</code> system call. Common programs like <code>su</code> and
<code>sudo</code> use this mechanism. Note that the <em>impersonation</em>
mechanism on Windows is not directly equivalent because it acts at the thread
level.'
annotations:
ocsf_uid:
tag: ocsf_uid
value: '5'
caption:
tag: caption
value: Set User ID
UNKNOWN:
text: UNKNOWN
description: The event activity is unknown.
annotations:
ocsf_uid:
tag: ocsf_uid
value: '0'
caption:
tag: caption
value: Unknown
OTHER:
text: OTHER
description: 'The event activity is not mapped. See the <code>activity_name</code>
attribute,
which contains a data source specific value.'
annotations:
ocsf_uid:
tag: ocsf_uid
value: '99'
caption:
tag: caption
value: Other