Process ID

System or application process ID.

Data Type

Integer

Aliases

Field Relationships

• Process Name
• Parent Process ID
• Parent Process Name
• Parent Process Path

Common Applications

Anything that tracks applications/processes.

Use Case

Identifying what is running on a system.

MPE/Data Masking Manipulations

Not applicable.

Usage Standards

• Process ID should be the unique identifier (typically a PID).
• Store HEX representation by preference, but allow decimal if that's what log source provides.

Examples

• *nix

03 21 2014 10:13:00 1.1.1.1 <CLK1:INFO> crond[2596]: (root) CMD (/usr/lib64/sa/sa1 1 1)

In *nix logs, the Process and ProcessID frequently follow the syslog facility and severity. In this case, crond is followed by the ProcessID 2596 in square braces.

• Cb Response

08 30 2016 02:20:42 1.1.1.1 <USER:NOTE> LEEF:1.0|CB|CB|1.1.1.1623.1033|watchlist.storage.hit.process|cb_server=cbserver       cb_version=1.1.1.1623.1033 childproc_count=1   cmdline=C:\\Windows\\system32\\cmd.exe /c ping provisionserver >nul 2>nul      crossproc_count=1   filemod_count=0       host_type=workstation      last_update=2016-08-30T08:02:01.670Z    modload_count=11       netconn_count=0     os_type=windows     parent_guid=11111111-0000-2010-01d2-0294ad4c889c parent_id=7575139489111111 parent_name=scsdiscovery.exe     parent_pid=8208       parent_unique_id=222222222-0000-2010-01d2-0294ad4c889c-00000001       path=c:\\windows\\syswow64\\cmd.exe     process_guid=222222-0000-097c-01d2-0294b431d3b1 process_id=2222222222222222       process_name=cmd.exe       process_pid=2428       regmod_count=0      server_name=localhost.localdomain start=2016-08-30T08:01:24.874Z       timestamp=1472548449.903   type=watchlist.storage.hit.process       unique_id=000001c3-0000-097c-01d2-0294b431d3b1-00000001     username=SYSTEM       watchlist_155=2016-08-30T09:10:02.525745Z      watchlist_id=155       watchlist_name=Command Line

Process_pid called out specifically.