Add a new process attribute to track lineage uids #1275
Comments
|
I'm also creating a docs article on effectively using the different process fields with regard to parentage. |
floydtree
pushed a commit
that referenced
this issue
Jan 16, 2025
#### Related Issue: #1275 #### Description of changes: Adds an array for the expression of process ancestry through process entity objects. The process entity is a new object that the process object is modified to extend. This enables the inclusion of extended parentage information without deep nesting which is discouraged in the `parent_process` attribute description. Full details for processes in the ancestry would still need to be looked up based on the fields in the process entity object. This PR also deprecates the `lineage` attribute within the process object in favour of the `ancestry` attribute which has much more explicit guidance on how to construct the array. Signed-off-by: Mitchell Wasson <miwasson@cisco.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently, there's a "lineage" attribute as part of Process object, that is defined as
"The lineage of the process, represented by a list of paths for each ancestor process. For example: ['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami']."
That's a very useful, but not accurate given it's providing only the paths and there could be many process with same paths, etc.
The proposal is to add a lineage_uids attribute that will include all ancestors process uids (unique identifiers) for better and accurate tracking the process lineage.
It's still optional, but consumers can easily look here to reconstruct the "process tree" of a given Process object given the field is provided. (Most of the time endpoint products that have the process tree in memory or are able to reconstruct it before generating the Process object)
The text was updated successfully, but these errors were encountered: