forked from elastic/ecs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathprocess.yml
182 lines (156 loc) · 4.68 KB
/
process.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
- name: process
title: Process
group: 2
short: These fields contain information about a process.
description: >
These fields contain information about a process.
These fields can help you correlate metrics information with a process id/name
from a log message. The `process.pid` often stays in the metric itself and is
copied to the global field for correlation.
type: group
reusable:
top_level: true
expected:
- at: process
as: parent
fields:
- name: pid
format: string
level: core
type: long
description: >
Process id.
example: 4242
- name: entity_id
level: extended
type: keyword
short: Unique identifier for the process.
description: >
Unique identifier for the process.
The implementation of this is specified by the data source, but some
examples of what could be used here are a process-generated UUID,
Sysmon Process GUIDs, or a hash of some uniquely identifying components
of a process.
Constructing a globally unique identifier is a common practice to mitigate
PID reuse as well as to identify a specific process over time, across multiple
monitored hosts.
example: c2c455d9f99375d
- name: name
level: extended
type: keyword
short: Process name.
description: >
Process name.
Sometimes called program name or similar.
example: ssh
multi_fields:
- type: text
name: text
- name: ppid
format: string
level: extended
type: long
description: >
Parent process' pid.
example: 4241
- name: pgid
format: string
level: extended
type: long
description: >
Identifier of the group of processes the process belongs to.
- name: command_line
level: extended
type: keyword
short: Full command line that started the process.
description: >
Full command line that started the process, including the absolute path
to the executable, and all arguments.
Some arguments may be filtered to protect sensitive information.
example: "/usr/bin/ssh -l user 10.0.0.16"
multi_fields:
- type: text
name: text
- name: args
level: extended
type: keyword
short: Array of process arguments.
description: >
Array of process arguments, starting with the absolute path to the executable.
May be filtered to protect sensitive information.
example: "[\"/usr/bin/ssh\", \"-l\", \"user\", \"10.0.0.16\"]"
normalize:
- array
- name: args_count
level: extended
type: long
short: Length of the process.args array.
description: >
Length of the process.args array.
This field can be useful for querying or performing bucket analysis on
how many arguments were provided to start a process.
More arguments may be an indication of suspicious activity.
example: 4
- name: executable
level: extended
type: keyword
description: >
Absolute path to the process executable.
example: /usr/bin/ssh
multi_fields:
- type: text
name: text
- name: title
level: extended
type: keyword
short: Process title.
description: >
Process title.
The proctitle, some times the same as process name. Can also be different:
for example a browser setting its title to the web page currently opened.
multi_fields:
- type: text
name: text
- name: thread.id
format: string
level: extended
type: long
example: 4242
description: >
Thread ID.
- name: thread.name
level: extended
type: keyword
example: 'thread-0'
description: >
Thread name.
- name: start
level: extended
type: date
example: "2016-05-23T08:05:34.853Z"
description: >
The time the process started.
- name: uptime
level: extended
type: long
example: 1325
description: >
Seconds the process has been up.
- name: working_directory
level: extended
type: keyword
example: /home/alice
description: >
The working directory of the process.
multi_fields:
- type: text
name: text
- name: exit_code
level: extended
type: long
example: 137
short: The exit code of the process.
description: >
The exit code of the process, if this is a termination event.
The field should be absent if there is no exit code for the event (e.g.
process start).