Tables
Tables{{numberOfTablesDisplayed}}
es_process_events EVENTED TABLE
Process execution events from EndpointSecurity.
| Column | Type | Description |
|---|---|---|
| cdhash | text | Codesigning hash of the process |
| child_pid | bigint | Process ID of a child process in case of a fork event |
| cmdline | text | Command line arguments (argv) |
| cmdline_count | bigint | Number of command line arguments |
| codesigning_flags | text | Codesigning flags matching one of these options, in a comma separated list: NOT_VALID, ADHOC, NOT_RUNTIME, INSTALLER. See kern/cs_blobs.h in XNU for descriptions. |
| cwd | text | The process current working directory |
| egid | bigint | Effective Group ID of the process |
| eid | text | Event ID Not returned in SELECT * FROM es_process_events. |
| env | text | Environment variables delimited by spaces |
| env_count | bigint | Number of environment variables |
| euid | bigint | Effective User ID of the process |
| event_type | text | Type of EndpointSecurity event |
| exit_code | integer | Exit code of a process in case of an exit event |
| gid | bigint | Group ID of the process |
| global_seq_num | bigint | Global sequence number |
| original_parent | bigint | Original parent process ID in case of reparenting |
| parent | bigint | Parent process ID |
| path | text | Path of executed file |
| pid | bigint | Process (or thread) ID |
| platform_binary | integer | Indicates if the binary is Apple signed binary (1) or not (0) |
| seq_num | bigint | Per event sequence number |
| signing_id | text | Signature identifier of the process |
| team_id | text | Team identifier of the process |
| time | bigint | Time of execution in UNIX time |
| uid | bigint | User ID of the process |
| username | text | Username |
| version | integer | Version of EndpointSecurity event |
Edit page
Need more help?
Ask the community on Slack
SOC2 Type 2
© 2024 Fleet Inc.
Privacy
