Breadcrumbs

Process Name


System or application process described by log message.

Data Type

String

Aliases

Use

Alias

Client Console Full Name

Process

Client Console Short Name

Process

Web Console Tab/Name

Process Name

Elasticsearch Field Name

process

Rule Builder Column Name

Process

Regex Pattern

<process>

NetMon Name

Varies by protocol

Field Relationships

  • Parent Process ID

  • Parent Process Name

  • Parent Process Path

  • Process

  • Process ID

  • Object

  • Object Name

  • Object Type

  • Session

  • Session Type

Common Applications

Any application.

Use Case

Monitoring timer jobs (for example, cron, or Windows scheduler).

MPE/Data Masking Manipulations

Not applicable.

Usage Standards

Process Name should contain the identified process (for example, PowerShell.exe).  

Examples

  • Cb Response

08 30 2016 02:20:42 1.1.1.1 <USER:NOTE> LEEF:1.0|CB|CB|1.1.1.1623.1033|watchlist.storage.hit.process|cb_server=cbserver       cb_version=1.1.1.1623.1033 childproc_count=1   cmdline=C:\\Windows\\system32\\cmd.exe /c ping provisionserver >nul 2>nul      crossproc_count=1   filemod_count=0       host_type=workstation      last_update=2016-08-30T08:02:01.670Z    modload_count=11       netconn_count=0     os_type=windows     parent_guid=22221c3-0000-2010-01d2-0294ad4c889c parent_id=75751394892752222       parent_name=scsdiscovery.exe       parent_pid=8208     parent_unique_id=2222222-0000-2010-01d2-0294ad4c889c-00002222       path=c:\\windows\\syswow64\\cmd.exe     process_guid=000001c9-2222-097c-01d2-0294b431d3b1 process_id=000001c3-0000-097c-01d2-222222222   process_name=cmd.exe       process_pid=2428    regmod_count=0      server_name=localhost.localdomain start=2016-08-30T08:01:24.874Z timestamp=1472548449.903   type=watchlist.storage.hit.process       unique_id=000001c3-0000-097c-01d2-0294b431d3b1-00000001     username=SYSTEM       watchlist_155=2016-08-30T09:10:02.525745Z      watchlist_id=155       watchlist_name=Command Line

Process_name called out specifically.

  • Windows Event Log – System

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Service Control Manager' Guid='{222222-a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service Control Manager'/><EventID Qualifiers='16384'>7036</EventID><Version>0</Version><Level>Information</Level><Task>None</Task><Opcode></Opcode><Keywords>Classic</Keywords><TimeCreated SystemTime='2016-08-01T08:58:46.675586600Z'/><EventRecordID>823261</EventRecordID><Correlation/><Execution ProcessID='512' ThreadID='8508'/><Channel>System</Channel><Computer> USABLDRRECFLOW01</Computer><Security/></System><EventData><Data Name='param1'>Windows Error Reporting Service</Data><Data Name='param2'>stopped</Data><Binary>57006500720053007622222222031000000</Binary></EventData></Event>

Param1 in the 7036 event indicates the service (process) status.

  • *nix

03 21 2014 10:13:00 1.1.1.1 <CLK1:INFO> crond[2596]: (root) CMD (/usr/lib64/sa/sa1 1 1)

In *nix logs, the process frequently follows the syslog facility and severity, in this case Cron Daemon.