- OS: Linux
- Data Stream:
logs-endpoint.events.process-* - KQL:
event.action : "load_module" and event.dataset : "endpoint.events.process" and event.module : "endpoint" and host.os.type : "linux"
This event is generated when when a kernel module is loaded.
| Field |
|---|
| @timestamp |
| agent.id |
| agent.type |
| agent.version |
| cloud.account.id |
| cloud.instance.name |
| cloud.project.id |
| cloud.provider |
| cloud.region |
| container.id |
| container.image.hash.all |
| container.image.name |
| container.image.tag |
| container.name |
| data_stream.dataset |
| data_stream.namespace |
| data_stream.type |
| ecs.version |
| elastic.agent.id |
| event.action |
| event.category |
| event.created |
| event.dataset |
| event.id |
| event.kind |
| event.module |
| event.outcome |
| event.sequence |
| event.type |
| group.Ext.real.id |
| group.Ext.real.name |
| group.id |
| group.name |
| host.architecture |
| host.hostname |
| host.id |
| host.ip |
| host.mac |
| host.name |
| host.os.Ext.variant |
| host.os.family |
| host.os.full |
| host.os.kernel |
| host.os.name |
| host.os.platform |
| host.os.type |
| host.os.version |
| message |
| orchestrator.cluster.id |
| orchestrator.cluster.name |
| orchestrator.namespace |
| orchestrator.resource.ip |
| orchestrator.resource.name |
| orchestrator.resource.parent.type |
| orchestrator.resource.type |
| process.Ext.ancestry |
| process.Ext.command_line_truncated |
| process.Ext.memfd.flag_allow_seal |
| process.Ext.memfd.flag_cloexec |
| process.Ext.memfd.flag_exec |
| process.Ext.memfd.flag_hugetlb |
| process.Ext.memfd.flag_noexec_seal |
| process.Ext.memfd.flags |
| process.Ext.memfd.name |
| process.Ext.trusted |
| process.Ext.trusted_descendant |
| process.args |
| process.args_count |
| process.command_line |
| process.end |
| process.entity_id |
| process.entry_leader.args |
| process.entry_leader.args_count |
| process.entry_leader.entity_id |
| process.entry_leader.entry_meta.source.ip |
| process.entry_leader.entry_meta.type |
| process.entry_leader.executable |
| process.entry_leader.group.id |
| process.entry_leader.group.name |
| process.entry_leader.interactive |
| process.entry_leader.name |
| process.entry_leader.parent.entity_id |
| process.entry_leader.parent.pid |
| process.entry_leader.parent.start |
| process.entry_leader.pid |
| process.entry_leader.real_group.id |
| process.entry_leader.real_group.name |
| process.entry_leader.real_user.id |
| process.entry_leader.real_user.name |
| process.entry_leader.same_as_process |
| process.entry_leader.start |
| process.entry_leader.supplemental_groups.id |
| process.entry_leader.supplemental_groups.name |
| process.entry_leader.tty.char_device.major |
| process.entry_leader.tty.char_device.minor |
| process.entry_leader.user.id |
| process.entry_leader.user.name |
| process.entry_leader.working_directory |
| process.executable |
| process.exit_code |
| process.group.id |
| process.group.name |
| process.group_leader.args |
| process.group_leader.args_count |
| process.group_leader.entity_id |
| process.group_leader.executable |
| process.group_leader.group.id |
| process.group_leader.group.name |
| process.group_leader.interactive |
| process.group_leader.name |
| process.group_leader.pid |
| process.group_leader.real_group.id |
| process.group_leader.real_group.name |
| process.group_leader.real_user.id |
| process.group_leader.real_user.name |
| process.group_leader.same_as_process |
| process.group_leader.start |
| process.group_leader.supplemental_groups.id |
| process.group_leader.supplemental_groups.name |
| process.group_leader.tty.char_device.major |
| process.group_leader.tty.char_device.minor |
| process.group_leader.user.id |
| process.group_leader.user.name |
| process.group_leader.working_directory |
| process.hash.md5 |
| process.hash.sha1 |
| process.hash.sha256 |
| process.interactive |
| process.name |
| process.parent.Ext.command_line_truncated |
| process.parent.args |
| process.parent.args_count |
| process.parent.command_line |
| process.parent.entity_id |
| process.parent.executable |
| process.parent.group.id |
| process.parent.group.name |
| process.parent.interactive |
| process.parent.name |
| process.parent.pid |
| process.parent.real_group.id |
| process.parent.real_group.name |
| process.parent.real_user.id |
| process.parent.real_user.name |
| process.parent.start |
| process.parent.supplemental_groups.id |
| process.parent.supplemental_groups.name |
| process.parent.tty.char_device.major |
| process.parent.tty.char_device.minor |
| process.parent.user.id |
| process.parent.user.name |
| process.parent.working_directory |
| process.pid |
| process.previous.args |
| process.previous.args_count |
| process.previous.executable |
| process.real_group.id |
| process.real_group.name |
| process.real_user.id |
| process.real_user.name |
| process.session_leader.args |
| process.session_leader.args_count |
| process.session_leader.entity_id |
| process.session_leader.executable |
| process.session_leader.group.id |
| process.session_leader.group.name |
| process.session_leader.interactive |
| process.session_leader.name |
| process.session_leader.pid |
| process.session_leader.real_group.id |
| process.session_leader.real_group.name |
| process.session_leader.real_user.id |
| process.session_leader.real_user.name |
| process.session_leader.same_as_process |
| process.session_leader.start |
| process.session_leader.supplemental_groups.id |
| process.session_leader.supplemental_groups.name |
| process.session_leader.tty.char_device.major |
| process.session_leader.tty.char_device.minor |
| process.session_leader.user.id |
| process.session_leader.user.name |
| process.session_leader.working_directory |
| process.start |
| process.supplemental_groups.id |
| process.supplemental_groups.name |
| process.user.id |
| process.user.name |
| process.working_directory |
| user.Ext.real.id |
| user.Ext.real.name |
| user.id |
| user.name |