Skip to main content

System Events

Overview

AlphaSOC normalizes system event telemetry from various sources into the Open Cybersecurity Schema Framework (OCSF) format, enabling you to write consistent Sigma detection rules across different endpoint security tools and platforms. For complete field definitions and semantics, refer to the linked OCSF class schema pages.

System: Process Activity

OCSF Category: System Activity

OCSF Class: Process Activity

OCSF Fields

  • activity_id
  • activity_name
  • actor.process.cmd_line
  • actor.process.created_time
  • actor.process.file.hashes.0.algorithm_id
  • actor.process.file.hashes.0.value
  • actor.process.file.hashes.1.algorithm_id
  • actor.process.file.hashes.1.value
  • actor.process.file.hashes.2.algorithm_id
  • actor.process.file.hashes.2.value
  • actor.process.file.name
  • actor.process.file.path
  • actor.process.name
  • actor.process.parent_process.cmd_line
  • actor.process.parent_process.created_time
  • actor.process.parent_process.file.hashes.0.algorithm_id
  • actor.process.parent_process.file.hashes.0.value
  • actor.process.parent_process.file.hashes.1.algorithm_id
  • actor.process.parent_process.file.hashes.1.value
  • actor.process.parent_process.file.hashes.2.algorithm_id
  • actor.process.parent_process.file.hashes.2.value
  • actor.process.parent_process.file.name
  • actor.process.parent_process.file.path
  • actor.process.parent_process.name
  • actor.process.parent_process.pid
  • actor.process.parent_process.user.name
  • actor.process.pid
  • actor.process.user.name
  • actor.user.name
  • category_name
  • category_uid
  • class_name
  • class_uid
  • device.ip
  • device.mac
  • device.os.name
  • device.os.type
  • device.os.type_id
  • device.uid
  • metadata.product.name
  • metadata.version
  • process.cmd_line
  • process.created_time
  • process.file.hashes.0.algorithm_id
  • process.file.hashes.0.value
  • process.file.hashes.1.algorithm_id
  • process.file.hashes.1.value
  • process.file.hashes.2.algorithm_id
  • process.file.hashes.2.value
  • process.file.name
  • process.file.path
  • process.name
  • process.pid
  • process.user.name
  • severity
  • severity_id
  • time
  • type_name
  • type_uid

Further Reading