Class: ProcessEntity
The Process Entity object provides critical fields for referencing a process.
URI: ocsf:ProcessEntity
classDiagram
class ProcessEntity
click ProcessEntity href "../ProcessEntity/"
Entity <|-- ProcessEntity
click Entity href "../Entity/"
ProcessEntity <|-- Process
click Process href "../Process/"
ProcessEntity : cmd_line
ProcessEntity : cpid
ProcessEntity : created_time
ProcessEntity : name
ProcessEntity : path
ProcessEntity : pid
ProcessEntity : uid
Inheritance
- OcsfObject
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| cmd_line | 0..1 recommended String |
The full command line used to launch an application, service, process, or job | direct |
| cpid | 0..1 recommended UuidT |
A unique process identifier that can be assigned deterministically by multipl... | direct |
| created_time | 0..1 recommended TimestampT |
The time when the process was created/started | direct |
| name | 0..1 recommended String |
The friendly name of the process, for example: Notepad++ |
direct |
| path | 0..1 String |
The process file path | direct |
| pid | 0..1 recommended Integer |
The process identifier, as reported by the operating system | direct |
| uid | 0..1 recommended String |
A unique identifier for this process assigned by the producer (tool) | direct |
Usages
| used by | used in | type | used |
|---|---|---|---|
| Process | ancestry | range | ProcessEntity |
| LinuxProcess | ancestry | range | ProcessEntity |
| MacosProcess | ancestry | range | ProcessEntity |
| WindowsProcess | ancestry | range | ProcessEntity |
| WinService | hosting_process | range | ProcessEntity |
Rules
| Rule Applied | Preconditions | Postconditions | Elseconditions |
|---|---|---|---|
| any_of | [{'slot_conditions': {'cmd_line': {'required': True}}}, {'slot_conditions': {}}, {'slot_conditions': {'path': {'required': True}}}, {'slot_conditions': {'pid': {'required': True}}}, {'slot_conditions': {'uid': {'required': True}}}, {'slot_conditions': {'cpid': {'required': True}}}] |
In Subsets
Aliases
- Process Entity
Identifier and Mapping Information
Annotations
| property | value |
|---|---|
| ocsf_constraints | {"at_least_one": ["cmd_line", "name", "path", "pid", "uid", "cpid"]} |
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:ProcessEntity |
| native | ocsf:ProcessEntity |
LinkML Source
Direct
name: ProcessEntity
annotations:
ocsf_constraints:
tag: ocsf_constraints
value: '{"at_least_one": ["cmd_line", "name", "path", "pid", "uid", "cpid"]}'
description: The Process Entity object provides critical fields for referencing a
process.
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Process Entity
is_a: Entity
slots:
- cmd_line
- cpid
- created_time
- name
- path
- pid
- uid
slot_usage:
cmd_line:
name: cmd_line
recommended: true
cpid:
name: cpid
recommended: true
created_time:
name: created_time
description: The time when the process was created/started.
recommended: true
name:
name: name
description: 'The friendly name of the process, for example: <code>Notepad++</code>.'
path:
name: path
description: The process file path.
pid:
name: pid
recommended: true
uid:
name: uid
description: 'A unique identifier for this process assigned by the producer (tool).
Facilitates correlation of a process event with other events for that process.'
rules:
- postconditions:
any_of:
- slot_conditions:
cmd_line:
name: cmd_line
required: true
- slot_conditions:
name:
name: name
required: true
- slot_conditions:
path:
name: path
required: true
- slot_conditions:
pid:
name: pid
required: true
- slot_conditions:
uid:
name: uid
required: true
- slot_conditions:
cpid:
name: cpid
required: true
description: 'OCSF at_least_one: at least one of [''cmd_line'', ''name'', ''path'',
''pid'', ''uid'',
''cpid''] must be set.'
Induced
name: ProcessEntity
annotations:
ocsf_constraints:
tag: ocsf_constraints
value: '{"at_least_one": ["cmd_line", "name", "path", "pid", "uid", "cpid"]}'
description: The Process Entity object provides critical fields for referencing a
process.
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Process Entity
is_a: Entity
slot_usage:
cmd_line:
name: cmd_line
recommended: true
cpid:
name: cpid
recommended: true
created_time:
name: created_time
description: The time when the process was created/started.
recommended: true
name:
name: name
description: 'The friendly name of the process, for example: <code>Notepad++</code>.'
path:
name: path
description: The process file path.
pid:
name: pid
recommended: true
uid:
name: uid
description: 'A unique identifier for this process assigned by the producer (tool).
Facilitates correlation of a process event with other events for that process.'
attributes:
cmd_line:
name: cmd_line
annotations:
observable_id:
tag: observable_id
value: 13
description: 'The full command line used to launch an application, service, process,
or job.
For example: <code>ssh user@10.0.0.10</code>. If the command line is
unavailable or missing, the empty string <code>''''</code> is to be used.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Command Line
rank: 1000
alias: cmd_line
owner: ProcessEntity
domain_of:
- Job
- ProcessEntity
- WinService
range: string
recommended: true
cpid:
name: cpid
annotations:
ocsf_source:
tag: ocsf_source
value: cpid
description: 'A unique process identifier that can be assigned deterministically
by multiple
system data producers.'
notes:
- 'OCSF Common Process Identifier (CPID) Specification —
https://github.com/ocsf/common-process-id'
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://github.com/ocsf/common-process-id
aliases:
- Common Process Identifier
rank: 1000
alias: cpid
owner: ProcessEntity
domain_of:
- ProcessEntity
range: UuidT
recommended: true
created_time:
name: created_time
description: The time when the process was created/started.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Created Time
rank: 1000
alias: created_time
owner: ProcessEntity
domain_of:
- Osint
- RelatedEvent
- Sbom
- Scim
- Session
- Sso
- Token
- Whois
- Resource
- Advisory
- AuthenticationToken
- Certificate
- Cve
- Database
- Databucket
- DigitalSignature
- Enrichment
- Epss
- File
- FindingObject
- FindingInfo
- Job
- KbArticle
- LdapPerson
- ProcessEntity
- Table
- Device
range: TimestampT
recommended: true
name:
name: name
description: 'The friendly name of the process, for example: <code>Notepad++</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Name
rank: 1000
alias: name
owner: ProcessEntity
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- Parameter
- PrivilegeInfo
- San
- Scim
- Script
- ServicePrivilegeAnalysis
- SoftwareComponent
- Sso
- StartupItem
- ThreatActor
- Token
- Entity
- Resource
- Account
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- AutonomousSystem
- Campaign
- Check
- CisBenchmark
- CisBenchmarkResult
- CisControl
- ClassifierDetails
- Container
- D3fTactic
- D3fTechnique
- Database
- Databucket
- DomainContact
- Edge
- Endpoint
- Enrichment
- EnvironmentVariable
- Evidences
- Extension
- Feature
- File
- Graph
- Group
- HttpCookie
- HttpHeader
- Idp
- Image
- Job
- Kernel
- KeyValueObject
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metric
- Mitigation
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- ResourceDetails
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- FtpActivity
- RegValue
- WinResource
- WinService
- PrefetchQuery
range: string
recommended: true
path:
name: path
description: The process file path.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Path
rank: 1000
alias: path
owner: ProcessEntity
domain_of:
- Url
- AffectedPackage
- File
- HttpCookie
- Image
- Kernel
- Malware
- ProcessEntity
- Product
- RegKey
- RegValue
range: string
pid:
name: pid
annotations:
observable_id:
tag: observable_id
value: 15
description: 'The process identifier, as reported by the operating system. Process
ID (PID)
is a number used by the operating system to uniquely identify an active
process.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Process ID
rank: 1000
alias: pid
owner: ProcessEntity
domain_of:
- ProcessEntity
range: integer
recommended: true
uid:
name: uid
description: 'A unique identifier for this process assigned by the producer (tool).
Facilitates correlation of a process event with other events for that process.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Unique ID
rank: 1000
alias: uid
owner: ProcessEntity
domain_of:
- Osint
- Package
- ProgrammaticCredential
- RelatedEvent
- Request
- Sbom
- Scim
- Script
- Session
- Span
- Sso
- Ticket
- Token
- Trace
- Entity
- Resource
- Account
- Advisory
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- Certificate
- Check
- ClassifierDetails
- Container
- Cve
- Cwe
- D3fTactic
- D3fTechnique
- DataClassification
- Database
- Databucket
- DomainContact
- Edge
- Email
- Endpoint
- Evidences
- Extension
- Feature
- File
- FindingObject
- FindingInfo
- Graph
- Group
- HttpRequest
- Idp
- Image
- KbArticle
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metadata
- Mitigation
- NetworkConnectionInfo
- NetworkEndpoint
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- WinResource
range: string
recommended: true
rules:
- postconditions:
any_of:
- slot_conditions:
cmd_line:
name: cmd_line
required: true
- slot_conditions:
name:
name: name
required: true
- slot_conditions:
path:
name: path
required: true
- slot_conditions:
pid:
name: pid
required: true
- slot_conditions:
uid:
name: uid
required: true
- slot_conditions:
cpid:
name: cpid
required: true
description: 'OCSF at_least_one: at least one of [''cmd_line'', ''name'', ''path'',
''pid'', ''uid'',
''cpid''] must be set.'