Process Name
System or application process described by log message.
Data Type
String
Aliases
| Use | Alias |
|---|---|
Client Console Full Name | Process |
Client Console Short Name | Process |
Web Console Tab/Name | Process Name |
Elasticsearch Field Name | process |
Rule Builder Column Name | Process |
Regex Pattern | <process> |
NetMon Name | Varies by protocol |
Field Relationships
- Parent Process ID
- Parent Process Name
- Parent Process Path
- Process
- Process ID
- Object
- Object Name
- Object Type
- Session
- Session Type
Common Applications
Any application.
Use Case
Monitoring timer jobs (for example, cron, or Windows scheduler).
MPE/Data Masking Manipulations
Not applicable.
Usage Standards
Process Name should contain the identified process (for example, PowerShell.exe).
Examples
- Cb Response
08 30 2016 02:20:42 1.1.1.1 <USER:NOTE> LEEF:1.0|CB|CB|1.1.1.1623.1033|watchlist.storage.hit.process|cb_server=cbserver cb_version=1.1.1.1623.1033 childproc_count=1 cmdline=C:\\Windows\\system32\\cmd.exe /c ping provisionserver >nul 2>nul crossproc_count=1 filemod_count=0 host_type=workstation last_update=2016-08-30T08:02:01.670Z modload_count=11 netconn_count=0 os_type=windows parent_guid=22221c3-0000-2010-01d2-0294ad4c889c parent_id=75751394892752222 parent_name=scsdiscovery.exe parent_pid=8208 parent_unique_id=2222222-0000-2010-01d2-0294ad4c889c-00002222 path=c:\\windows\\syswow64\\cmd.exe process_guid=000001c9-2222-097c-01d2-0294b431d3b1 process_id=000001c3-0000-097c-01d2-222222222 process_name=cmd.exe process_pid=2428 regmod_count=0 server_name=localhost.localdomain start=2016-08-30T08:01:24.874Z timestamp=1472548449.903 type=watchlist.storage.hit.process unique_id=000001c3-0000-097c-01d2-0294b431d3b1-00000001 username=SYSTEM watchlist_155=2016-08-30T09:10:02.525745Z watchlist_id=155 watchlist_name=Command Line
Process_name called out specifically.
- Windows Event Log – System
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Service Control Manager' Guid='{222222-a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service Control Manager'/><EventID Qualifiers='16384'>7036</EventID><Version>0</Version><Level>Information</Level><Task>None</Task><Opcode></Opcode><Keywords>Classic</Keywords><TimeCreated SystemTime='2016-08-01T08:58:46.675586600Z'/><EventRecordID>823261</EventRecordID><Correlation/><Execution ProcessID='512' ThreadID='8508'/><Channel>System</Channel><Computer> USABLDRRECFLOW01</Computer><Security/></System><EventData><Data Name='param1'>Windows Error Reporting Service</Data><Data Name='param2'>stopped</Data><Binary>57006500720053007622222222031000000</Binary></EventData></Event>
Param1 in the 7036 event indicates the service (process) status.
- *nix
03 21 2014 10:13:00 1.1.1.1 <CLK1:INFO> crond[2596]: (root) CMD (/usr/lib64/sa/sa1 1 1)
In *nix logs, the process frequently follows the syslog facility and severity, in this case Cron Daemon.