Class: WindowsProcess
Extends the process object to add Windows specific fields.
URI: ocsf:WindowsProcess
classDiagram
class WindowsProcess
click WindowsProcess href "../WindowsProcess/"
Process <|-- WindowsProcess
click Process href "../Process/"
WindowsProcess : ancestry
WindowsProcess --> "*" ProcessEntity : ancestry
click ProcessEntity href "../ProcessEntity/"
WindowsProcess : cmd_line
WindowsProcess : container
WindowsProcess --> "0..1 _recommended_" Container : container
click Container href "../Container/"
WindowsProcess : cpid
WindowsProcess : created_time
WindowsProcess : environment_variables
WindowsProcess --> "*" EnvironmentVariable : environment_variables
click EnvironmentVariable href "../EnvironmentVariable/"
WindowsProcess : file
WindowsProcess --> "0..1 _recommended_" File : file
click File href "../File/"
WindowsProcess : hosted_services
WindowsProcess --> "*" WinService : hosted_services
click WinService href "../WinService/"
WindowsProcess : integrity
WindowsProcess : integrity_id
WindowsProcess --> "0..1" IntegrityIdEnum : integrity_id
click IntegrityIdEnum href "../IntegrityIdEnum/"
WindowsProcess : lineage
WindowsProcess : loaded_modules
WindowsProcess : name
WindowsProcess : namespace_pid
WindowsProcess : parent_process
WindowsProcess --> "0..1 _recommended_" Process : parent_process
click Process href "../Process/"
WindowsProcess : path
WindowsProcess : pid
WindowsProcess : ptid
WindowsProcess : sandbox
WindowsProcess : session
WindowsProcess --> "0..1" Session : session
click Session href "../Session/"
WindowsProcess : terminated_time
WindowsProcess : tid
WindowsProcess : uid
WindowsProcess : user
WindowsProcess --> "0..1 _recommended_" User : user
click User href "../User/"
WindowsProcess : working_directory
WindowsProcess : xattributes
WindowsProcess --> "0..1" Object : xattributes
click Object href "../Object/"
Inheritance
- OcsfObject
- Object
- Entity
- ProcessEntity
- Process [ ContainerProfile]
- WindowsProcess
- Process [ ContainerProfile]
- ProcessEntity
- Entity
- Object
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| hosted_services | * WinService |
The Windows services that this process is hosting | direct |
| ancestry | * ProcessEntity |
An array of Process Entities describing the extended parentage of this proces... | Process |
| environment_variables | * EnvironmentVariable |
Environment variables associated with the process | Process |
| file | 0..1 recommended File |
The process file object | Process |
| integrity | 0..1 String |
The process integrity level, normalized to the caption of the integrity_id | Process |
| integrity_id | 0..1 IntegrityIdEnum |
The normalized identifier of the process integrity level (Windows only) | Process |
| lineage | * FilePathT |
The lineage of the process, represented by a list of paths for each ancestor | Process |
| loaded_modules | * String |
The list of loaded module names | Process |
| parent_process | 0..1 recommended Process |
The parent process of this process object | Process |
| ptid | 0..1 Integer |
The identifier of the process thread associated with the event, as returned b... | Process |
| sandbox | 0..1 String |
The name of the containment jail (i | Process |
| session | 0..1 Session |
The user session under which this process is running | Process |
| terminated_time | 0..1 TimestampT |
The time when the process was terminated | Process |
| tid | 0..1 Integer |
The identifier of the thread associated with the event, as returned by the | Process |
| user | 0..1 recommended User |
The user under which this process is running | Process |
| working_directory | 0..1 String |
The working directory of a process | Process |
| xattributes | 0..1 Object |
An unordered collection of zero or more name/value pairs that represent a | Process |
| container | 0..1 recommended Container |
The information describing an instance of a container | ContainerProfile |
| namespace_pid | 0..1 recommended Integer |
If running under a process namespace (such as in a container), the process | ContainerProfile |
| cmd_line | 0..1 recommended String |
The full command line used to launch an application, service, process, or job | ProcessEntity |
| cpid | 0..1 recommended UuidT |
A unique process identifier that can be assigned deterministically by multipl... | ProcessEntity |
| created_time | 0..1 recommended TimestampT |
The time when the process was created/started | ProcessEntity |
| name | 0..1 recommended String |
The friendly name of the process, for example: Notepad++ |
Entity, ProcessEntity |
| path | 0..1 String |
The process file path | ProcessEntity |
| pid | 0..1 recommended Integer |
The process identifier, as reported by the operating system | ProcessEntity |
| uid | 0..1 recommended String |
A unique identifier for this process assigned by the producer (tool) | Entity, ProcessEntity |
Rules
| Rule Applied | Preconditions | Postconditions | Elseconditions |
|---|---|---|---|
| any_of | [{'slot_conditions': {'pid': {'required': True}}}, {'slot_conditions': {'uid': {'required': True}}}, {'slot_conditions': {'cpid': {'required': True}}}] |
In Subsets
Aliases
- Process
Identifier and Mapping Information
Annotations
| property | value |
|---|---|
| ocsf_constraints | {"at_least_one": ["pid", "uid", "cpid"]} |
| ocsf_extension | windows |
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:WindowsProcess |
| native | ocsf:WindowsProcess |
| exact | uco_master:WindowsProcess |
LinkML Source
Direct
name: WindowsProcess
annotations:
ocsf_constraints:
tag: ocsf_constraints
value: '{"at_least_one": ["pid", "uid", "cpid"]}'
ocsf_extension:
tag: ocsf_extension
value: windows
description: Extends the process object to add Windows specific fields.
in_subset:
- windows_extension_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Process
exact_mappings:
- uco_master:WindowsProcess
is_a: Process
slots:
- hosted_services
rules:
- postconditions:
any_of:
- slot_conditions:
pid:
name: pid
required: true
- slot_conditions:
uid:
name: uid
required: true
- slot_conditions:
cpid:
name: cpid
required: true
description: 'OCSF at_least_one: at least one of [''pid'', ''uid'', ''cpid''] must
be set.'
Induced
name: WindowsProcess
annotations:
ocsf_constraints:
tag: ocsf_constraints
value: '{"at_least_one": ["pid", "uid", "cpid"]}'
ocsf_extension:
tag: ocsf_extension
value: windows
description: Extends the process object to add Windows specific fields.
in_subset:
- windows_extension_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Process
exact_mappings:
- uco_master:WindowsProcess
is_a: Process
attributes:
hosted_services:
name: hosted_services
annotations:
ocsf_extension:
tag: ocsf_extension
value: windows
description: The Windows services that this process is hosting.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Hosted Services
rank: 1000
alias: hosted_services
owner: WindowsProcess
domain_of:
- WindowsProcess
range: WinService
multivalued: true
ancestry:
name: ancestry
description: 'An array of Process Entities describing the extended parentage of
this process
object. Direct parent information should be expressed through the
<code>parent_process</code> attribute. The first array element is the direct
parent of this process object. Subsequent list elements go up the process
parentage hierarchy. That is, the array is sorted from newest to oldest
process. It is recommended to only populate this field for the top-level
process object.'
notes:
- 'Guidance on Representing Process Parentage —
https://github.com/ocsf/ocsf-docs/blob/main/articles/representing-process-parentage.md'
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://github.com/ocsf/ocsf-docs/blob/main/articles/representing-process-parentage.md
aliases:
- Ancestry
rank: 1000
alias: ancestry
owner: WindowsProcess
domain_of:
- Process
range: ProcessEntity
multivalued: true
environment_variables:
name: environment_variables
description: Environment variables associated with the process.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Environment Variables
rank: 1000
alias: environment_variables
owner: WindowsProcess
domain_of:
- Process
range: EnvironmentVariable
multivalued: true
file:
name: file
description: The process file object.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- File
rank: 1000
alias: file
owner: WindowsProcess
domain_of:
- Osint
- QueryEvidence
- Script
- AffectedCode
- Databucket
- Evidences
- Job
- KernelDriver
- Module
- Process
- FileHosting
- FileQuery
- DataSecurityFinding
- EmailFileActivity
- FtpActivity
- HttpActivity
- NetworkFileActivity
- RdpActivity
- SmbActivity
- SshActivity
- FileRemediationActivity
- EventLogActvity
- FileActivity
range: File
recommended: true
integrity:
name: integrity
description: 'The process integrity level, normalized to the caption of the integrity_id
value. In the case of ''Other'', it is defined by the event source (Windows
only).'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Integrity
rank: 1000
alias: integrity
owner: WindowsProcess
domain_of:
- Process
range: string
integrity_id:
name: integrity_id
annotations:
sibling:
tag: sibling
value: integrity
description: The normalized identifier of the process integrity level (Windows
only).
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Integrity Level
rank: 1000
alias: integrity_id
owner: WindowsProcess
domain_of:
- Process
range: IntegrityIdEnum
lineage:
name: lineage
description: 'The lineage of the process, represented by a list of paths for each
ancestor
process. For example: <code>[''/usr/sbin/sshd'', ''/usr/bin/bash'',
''/usr/bin/whoami'']</code>.'
deprecated: Use the <code>ancestry</code> attribute.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Lineage
rank: 1000
alias: lineage
owner: WindowsProcess
domain_of:
- Process
range: FilePathT
multivalued: true
loaded_modules:
name: loaded_modules
description: The list of loaded module names.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Loaded Modules
rank: 1000
alias: loaded_modules
owner: WindowsProcess
domain_of:
- Process
range: string
multivalued: true
parent_process:
name: parent_process
description: 'The parent process of this process object. It is recommended to
only populate
this field for the top-level process object, to prevent deep nesting.
Additional ancestry information can be supplied in the <code>ancestry</code>
attribute.'
notes:
- 'Guidance on Representing Process Parentage —
https://github.com/ocsf/ocsf-docs/blob/main/articles/representing-process-parentage.md'
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://github.com/ocsf/ocsf-docs/blob/main/articles/representing-process-parentage.md
aliases:
- Parent Process
rank: 1000
alias: parent_process
owner: WindowsProcess
domain_of:
- Process
range: Process
recommended: true
ptid:
name: ptid
description: 'The identifier of the process thread associated with the event,
as returned by
the operating system.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Process Thread ID
rank: 1000
alias: ptid
owner: WindowsProcess
domain_of:
- Process
range: integer
sandbox:
name: sandbox
description: 'The name of the containment jail (i.e., sandbox). For example, hardened_ps,
high_security_ps, oracle_ps, netsvcs_ps, or default_ps.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Sandbox
rank: 1000
alias: sandbox
owner: WindowsProcess
domain_of:
- Process
range: string
session:
name: session
description: The user session under which this process is running.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Session
rank: 1000
alias: session
owner: WindowsProcess
domain_of:
- QueryEvidence
- Actor
- NetworkConnectionInfo
- Process
- SessionQuery
- Authentication
- AuthorizeSession
- TunnelActivity
range: Session
terminated_time:
name: terminated_time
description: The time when the process was terminated.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Terminated Time
rank: 1000
alias: terminated_time
owner: WindowsProcess
domain_of:
- Process
range: TimestampT
tid:
name: tid
description: 'The identifier of the thread associated with the event, as returned
by the
operating system.'
deprecated: '<code>tid</code> is deprecated in favor of <code>ptid</code>. <code>ptid</code>
has type <code>long_t</code> which can accommodate the thread identifiers
returned by all platforms (e.g. 64-bit on MacOS). (since 1.6.0)'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Thread ID
rank: 1000
alias: tid
owner: WindowsProcess
domain_of:
- Process
range: integer
user:
name: user
description: The user under which this process is running.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- User
rank: 1000
alias: user
owner: WindowsProcess
domain_of:
- QueryEvidence
- Actor
- Evidences
- Job
- ManagedEntity
- Process
- UserInventory
- UserQuery
- IamAnalysisFinding
- AccountChange
- Authentication
- AuthorizeSession
- GroupManagement
- UserAccess
- RdpActivity
- TunnelActivity
range: User
recommended: true
working_directory:
name: working_directory
description: The working directory of a process.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Working Directory
rank: 1000
alias: working_directory
owner: WindowsProcess
domain_of:
- Process
range: string
xattributes:
name: xattributes
description: 'An unordered collection of zero or more name/value pairs that represent
a
process extended attribute.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Extended Attributes
rank: 1000
alias: xattributes
owner: WindowsProcess
domain_of:
- File
- Process
range: Object
container:
name: container
annotations:
group:
tag: group
value: context
description: 'The information describing an instance of a container. A container
is a
prepackaged, portable system image that runs isolated on an existing system
using a container runtime like containerd.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Container
rank: 1000
alias: container
owner: WindowsProcess
domain_of:
- Evidences
- ContainerProfile
- CloudResourcesInventoryInfo
range: Container
recommended: true
namespace_pid:
name: namespace_pid
annotations:
group:
tag: group
value: context
description: 'If running under a process namespace (such as in a container), the
process
identifier within that process namespace.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Namespace PID
rank: 1000
alias: namespace_pid
owner: WindowsProcess
domain_of:
- ContainerProfile
range: integer
recommended: true
cmd_line:
name: cmd_line
annotations:
observable_id:
tag: observable_id
value: 13
description: 'The full command line used to launch an application, service, process,
or job.
For example: <code>ssh user@10.0.0.10</code>. If the command line is
unavailable or missing, the empty string <code>''''</code> is to be used.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Command Line
rank: 1000
alias: cmd_line
owner: WindowsProcess
domain_of:
- Job
- ProcessEntity
- WinService
range: string
recommended: true
cpid:
name: cpid
annotations:
ocsf_source:
tag: ocsf_source
value: cpid
description: 'A unique process identifier that can be assigned deterministically
by multiple
system data producers.'
notes:
- 'OCSF Common Process Identifier (CPID) Specification —
https://github.com/ocsf/common-process-id'
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://github.com/ocsf/common-process-id
aliases:
- Common Process Identifier
rank: 1000
alias: cpid
owner: WindowsProcess
domain_of:
- ProcessEntity
range: UuidT
recommended: true
created_time:
name: created_time
description: The time when the process was created/started.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Created Time
rank: 1000
alias: created_time
owner: WindowsProcess
domain_of:
- Osint
- RelatedEvent
- Sbom
- Scim
- Session
- Sso
- Token
- Whois
- Resource
- Advisory
- AuthenticationToken
- Certificate
- Cve
- Database
- Databucket
- DigitalSignature
- Enrichment
- Epss
- File
- FindingObject
- FindingInfo
- Job
- KbArticle
- LdapPerson
- ProcessEntity
- Table
- Device
range: TimestampT
recommended: true
name:
name: name
description: 'The friendly name of the process, for example: <code>Notepad++</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Name
rank: 1000
alias: name
owner: WindowsProcess
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- Parameter
- PrivilegeInfo
- San
- Scim
- Script
- ServicePrivilegeAnalysis
- SoftwareComponent
- Sso
- StartupItem
- ThreatActor
- Token
- Entity
- Resource
- Account
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- AutonomousSystem
- Campaign
- Check
- CisBenchmark
- CisBenchmarkResult
- CisControl
- ClassifierDetails
- Container
- D3fTactic
- D3fTechnique
- Database
- Databucket
- DomainContact
- Edge
- Endpoint
- Enrichment
- EnvironmentVariable
- Evidences
- Extension
- Feature
- File
- Graph
- Group
- HttpCookie
- HttpHeader
- Idp
- Image
- Job
- Kernel
- KeyValueObject
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metric
- Mitigation
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- ResourceDetails
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- FtpActivity
- RegValue
- WinResource
- WinService
- PrefetchQuery
range: string
recommended: true
path:
name: path
description: The process file path.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Path
rank: 1000
alias: path
owner: WindowsProcess
domain_of:
- Url
- AffectedPackage
- File
- HttpCookie
- Image
- Kernel
- Malware
- ProcessEntity
- Product
- RegKey
- RegValue
range: string
pid:
name: pid
annotations:
observable_id:
tag: observable_id
value: 15
description: 'The process identifier, as reported by the operating system. Process
ID (PID)
is a number used by the operating system to uniquely identify an active
process.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Process ID
rank: 1000
alias: pid
owner: WindowsProcess
domain_of:
- ProcessEntity
range: integer
recommended: true
uid:
name: uid
description: 'A unique identifier for this process assigned by the producer (tool).
Facilitates correlation of a process event with other events for that process.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Unique ID
rank: 1000
alias: uid
owner: WindowsProcess
domain_of:
- Osint
- Package
- ProgrammaticCredential
- RelatedEvent
- Request
- Sbom
- Scim
- Script
- Session
- Span
- Sso
- Ticket
- Token
- Trace
- Entity
- Resource
- Account
- Advisory
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- Certificate
- Check
- ClassifierDetails
- Container
- Cve
- Cwe
- D3fTactic
- D3fTechnique
- DataClassification
- Database
- Databucket
- DomainContact
- Edge
- Email
- Endpoint
- Evidences
- Extension
- Feature
- File
- FindingObject
- FindingInfo
- Graph
- Group
- HttpRequest
- Idp
- Image
- KbArticle
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metadata
- Mitigation
- NetworkConnectionInfo
- NetworkEndpoint
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- WinResource
range: string
recommended: true
rules:
- postconditions:
any_of:
- slot_conditions:
pid:
name: pid
required: true
- slot_conditions:
uid:
name: uid
required: true
- slot_conditions:
cpid:
name: cpid
required: true
description: 'OCSF at_least_one: at least one of [''pid'', ''uid'', ''cpid''] must
be set.'