misp-objects/objects/process/definition.json

{
  "name": "process",
  "uuid": "02aeef94-ac23-455c-addb-731757ceafb5",
  "meta-category": "misc",
  "description": "Object describing a system process.",
  "version": 6,
  "attributes": {
    "creation-time": {
      "description": "Local date/time at which the process was created.",
      "ui-priority": 0,
      "misp-attribute": "datetime",
      "disable_correlation": true
    },
    "start-time": {
      "description": "Local date/time at which the process was started.",
      "ui-priority": 0,
      "misp-attribute": "datetime",
      "disable_correlation": true
    },
    "name": {
      "description": "Name of the process",
      "ui-priority": 1,
      "misp-attribute": "text"
    },
    "pid": {
      "description": "Process ID of the process.",
      "ui-priority": 1,
      "misp-attribute": "text",
      "disable_correlation": true
    },
    "parent-pid": {
      "description": "Process ID of the parent process.",
      "ui-priority": 1,
      "misp-attribute": "text",
      "disable_correlation": true
    },
    "child-pid": {
      "description": "Process ID of the child(ren) process.",
      "ui-priority": 1,
      "misp-attribute": "text",
      "multiple": true,
      "disable_correlation": true
    },
    "process-state": {
      "description": "State of process.",
      "sane_default": [
        "D uninterruptible sleep (usually IO)",
        "R running or runnable (on run queue)",
        "S interruptible sleep (waiting for an event to complete)",
        "T stopped by job control signal",
        "t stopped by debugger during the tracing",
        "W paging (not valid since the 2.6.xx kernel)",
        "X dead (should never be seen)",
        "Z defunct ('zombie') process, terminated but not reaped by its parent",
        "< high-priority (not nice to other users)",
        "N low-priority (nice to other users)",
        "L has pages locked into memory (for real-time and custom IO)",
        "s is a session leader",
        "l is multi-threaded (using CLONE_THREAD, like NPTL pthreads do)",
        "+ is in the foreground process group"
      ],
      "ui-priority": 1,
      "misp-attribute": "text",
      "multiple": false,
      "disable_correlation": true
    },
    "fake-process-name": {
      "description": "Is the process spawned under a false name.",
      "sane_default": [
        "1",
        "0"
      ],
      "ui-priority": 1,
      "misp-attribute": "boolean",
      "multiple": false,
      "disable_correlation": true
    },
    "port": {
      "description": "Port(s) owned by the process.",
      "ui-priority": 1,
      "misp-attribute": "src-port",
      "multiple": true,
      "disable_correlation": true
    },
    "command-line": {
      "description": "Command line of the process",
      "ui-priority": 1,
      "misp-attribute": "text"
    },
    "current-directory": {
      "description": "Current working directory of the process",
      "ui-priority": 2,
      "misp-attribute": "text",
      "disable_correlation": true
    },
    "image": {
      "description": "Path of process image",
      "ui-priority": 1,
      "misp-attribute": "filename"
    },
    "parent-command-line": {
      "description": "Command line of the parent process",
      "ui-priority": 1,
      "misp-attribute": "text"
    },
    "parent-image": {
      "description": "Path of parent process image",
      "ui-priority": 1,
      "misp-attribute": "filename"
    },
    "user": {
      "description": "User context of the process",
      "ui-priority": 2,
      "misp-attribute": "text",
      "disable_correlation": true
    },
    "integrity-level": {
      "description": "Integrity level of the process",
      "ui-priority": 2,
      "misp-attribute": "text",
      "disable_correlation": true
    }
  },
  "requiredOneOf": [
    "name",
    "pid",
    "image",
    "command-line",
    "current-directory"
  ]
}
First version of process object - Potentially more attributes to come 2018-05-04 16:34:35 +02:00			`{`
			`"name": "process",`
			`"uuid": "02aeef94-ac23-455c-addb-731757ceafb5",`
			`"meta-category": "misc",`
			`"description": "Object describing a system process.",`
chg: [process] Updated process object 2019-07-12 07:33:51 +02:00			`"version": 6,`
First version of process object - Potentially more attributes to come 2018-05-04 16:34:35 +02:00			`"attributes": {`
			`"creation-time": {`
			`"description": "Local date/time at which the process was created.",`
			`"ui-priority": 0,`
			`"misp-attribute": "datetime",`
			`"disable_correlation": true`
			`},`
			`"start-time": {`
			`"description": "Local date/time at which the process was started.",`
			`"ui-priority": 0,`
			`"misp-attribute": "datetime",`
			`"disable_correlation": true`
			`},`
			`"name": {`
			`"description": "Name of the process",`
			`"ui-priority": 1,`
			`"misp-attribute": "text"`
			`},`
			`"pid": {`
			`"description": "Process ID of the process.",`
			`"ui-priority": 1,`
chg: [process] disable correlation where it's not required 2018-10-06 07:42:34 +02:00			`"misp-attribute": "text",`
			`"disable_correlation": true`
First version of process object - Potentially more attributes to come 2018-05-04 16:34:35 +02:00			`},`
Attribute typo 2018-05-25 09:13:14 +02:00			`"parent-pid": {`
First version of process object - Potentially more attributes to come 2018-05-04 16:34:35 +02:00			`"description": "Process ID of the parent process.",`
			`"ui-priority": 1,`
chg: [process] disable correlation where it's not required 2018-10-06 07:42:34 +02:00			`"misp-attribute": "text",`
			`"disable_correlation": true`
First version of process object - Potentially more attributes to come 2018-05-04 16:34:35 +02:00			`},`
			`"child-pid": {`
			`"description": "Process ID of the child(ren) process.",`
			`"ui-priority": 1,`
			`"misp-attribute": "text",`
chg: [process] disable correlation where it's not required 2018-10-06 07:42:34 +02:00			`"multiple": true,`
			`"disable_correlation": true`
First version of process object - Potentially more attributes to come 2018-05-04 16:34:35 +02:00			`},`
chg: [process] Updated process object 2019-07-12 07:33:51 +02:00			`"process-state": {`
chg: [process] Added sane defaults. 2019-07-12 09:04:38 +02:00			`"description": "State of process.",`
			`"sane_default": [`
			`"D uninterruptible sleep (usually IO)",`
			`"R running or runnable (on run queue)",`
			`"S interruptible sleep (waiting for an event to complete)",`
			`"T stopped by job control signal",`
			`"t stopped by debugger during the tracing",`
			`"W paging (not valid since the 2.6.xx kernel)",`
			`"X dead (should never be seen)",`
			`"Z defunct ('zombie') process, terminated but not reaped by its parent",`
			`"< high-priority (not nice to other users)",`
			`"N low-priority (nice to other users)",`
			`"L has pages locked into memory (for real-time and custom IO)",`
			`"s is a session leader",`
			`"l is multi-threaded (using CLONE_THREAD, like NPTL pthreads do)",`
			`"+ is in the foreground process group"`
			`],`
chg: [process] Updated process object 2019-07-12 07:33:51 +02:00			`"ui-priority": 1,`
			`"misp-attribute": "text",`
			`"multiple": false,`
			`"disable_correlation": true`
			`},`
			`"fake-process-name": {`
			`"description": "Is the process spawned under a false name.",`
chg: [process] Added sane defaults. 2019-07-12 09:04:38 +02:00			`"sane_default": [`
			`"1",`
			`"0"`
			`],`
chg: [process] Updated process object 2019-07-12 07:33:51 +02:00			`"ui-priority": 1,`
			`"misp-attribute": "boolean",`
			`"multiple": false,`
			`"disable_correlation": true`
			`},`
First version of process object - Potentially more attributes to come 2018-05-04 16:34:35 +02:00			`"port": {`
			`"description": "Port(s) owned by the process.",`
			`"ui-priority": 1,`
			`"misp-attribute": "src-port",`
chg: [process] disable correlation where it's not required 2018-10-06 07:42:34 +02:00			`"multiple": true,`
			`"disable_correlation": true`
Extension of process object 2018-11-02 00:35:28 +01:00			`},`
			`"command-line": {`
			`"description": "Command line of the process",`
			`"ui-priority": 1,`
			`"misp-attribute": "text"`
			`},`
			`"current-directory": {`
			`"description": "Current working directory of the process",`
			`"ui-priority": 2,`
chg: [process] fix the type - fix #160 2019-04-02 19:56:59 +02:00			`"misp-attribute": "text",`
Extension of process object 2018-11-02 00:35:28 +01:00			`"disable_correlation": true`
			`},`
			`"image": {`
			`"description": "Path of process image",`
			`"ui-priority": 1,`
			`"misp-attribute": "filename"`
			`},`
			`"parent-command-line": {`
			`"description": "Command line of the parent process",`
			`"ui-priority": 1,`
			`"misp-attribute": "text"`
			`},`
			`"parent-image": {`
			`"description": "Path of parent process image",`
			`"ui-priority": 1,`
			`"misp-attribute": "filename"`
			`},`
			`"user": {`
			`"description": "User context of the process",`
			`"ui-priority": 2,`
			`"misp-attribute": "text",`
			`"disable_correlation": true`
			`},`
			`"integrity-level": {`
			`"description": "Integrity level of the process",`
			`"ui-priority": 2,`
			`"misp-attribute": "text",`
			`"disable_correlation": true`
First version of process object - Potentially more attributes to come 2018-05-04 16:34:35 +02:00			`}`
			`},`
			`"requiredOneOf": [`
			`"name",`
Extension of process object 2018-11-02 00:35:28 +01:00			`"pid",`
			`"image",`
Added current-directory to required field This field will often indicate where a malicious binary is started from, therefore a good candidate for solo use 2019-04-02 18:41:07 +02:00			`"command-line",`
			`"current-directory"`
First version of process object - Potentially more attributes to come 2018-05-04 16:34:35 +02:00			`]`
			`}`