https://unifiedcyberontology.org/ontology/uco/observable#ProcessFacet
A process facet is a grouping of characteristics unique to an instance of a computer program executed on an operating system.
Instances of observable:ProcessFacet can have the following properties:
| PROPERTY | TYPE | DESCRIPTION | RANGE |
|---|---|---|---|
| From class owl:Thing | |||
| investigation:authorizationIdentifier | owl:DatatypeProperty | The identifier for a particular authorization (e.g. warrant number) | xsd:string |
| investigation:authorizationType | owl:DatatypeProperty | A label categorizing a type of authorization (e.g. warrant) | xsd:string |
| investigation:exhibitNumber | owl:DatatypeProperty | Specifies a unique identifier assigned to a given object at any stage of an investigation to differentiate it from all other objects. | xsd:string |
| investigation:focus | owl:DatatypeProperty | Specifies the topical focus of an investigation. | xsd:string |
| investigation:investigationForm | owl:DatatypeProperty | A label categorizing a type of investigation (case, incident, suspicious-activity, etc.) | vocab:InvestigationFormVocab |
| investigation:investigationStatus | owl:DatatypeProperty | A label characterizing the status of an investigation (open, closed, etc.). | xsd:string |
| investigation:relevantAuthorization | owl:ObjectProperty | Specifies an authorization relevant to a particular investigation. | investigation:Authorization |
| investigation:rootExhibitNumber | owl:DatatypeProperty | Specifies a unique identifier assigned to a given object at the start of its treatment as part of an investigation. The first node in a provenance chain, which can be viewed as a heirarchical tree originating from a single root. | xsd:string |
By the associated SHACL property shapes, instances of observable:ProcessFacet can have the following properties:
PROPERTY |
PROPERTY TYPE |
DESCRIPTION |
MIN COUNT |
MAX COUNT |
LOCAL RANGE |
GLOBAL RANGE |
|
|---|---|---|---|---|---|---|---|
| observable:ProcessFacet | |||||||
| observable:arguments | owl:DatatypeProperty |
A list of arguments utilized in initiating the process.
|
0 | * |
xsd:string
|
xsd:string
|
|
| observable:binary | owl:ObjectProperty |
|
0 | 1 |
observable:ObservableObject
|
observable:ObservableObject
|
|
| observable:creatorUser | owl:ObjectProperty |
The user that created/owns the process.
|
0 | 1 |
observable:ObservableObject
|
observable:ObservableObject
|
|
| observable:currentWorkingDirectory | owl:DatatypeProperty |
|
0 | 1 |
xsd:string
|
xsd:string
|
|
| observable:environmentVariables | owl:ObjectProperty |
A list of environment variables associated with the process.
|
0 | 1 |
types:Dictionary
|
types:Dictionary
|
|
| observable:exitStatus | owl:DatatypeProperty |
A small number passed from the process to the parent process when it has finished executing. In general, 0 indicates successful termination, any other number indicates a failure.
|
0 | 1 |
xsd:integer
|
xsd:integer
|
|
| observable:exitTime | owl:DatatypeProperty |
The time at which the process exited.
|
0 | 1 |
xsd:dateTime
|
xsd:dateTime
|
|
| observable:isHidden | owl:DatatypeProperty |
The isHidden property specifies whether the process is hidden or not.
|
0 | 1 |
xsd:boolean
|
xsd:boolean
|
|
| observable:observableCreatedTime | owl:DatatypeProperty |
The date and time at which the observable object being characterized was created. This time pertains to an intrinsic characteristic of the observable object, and would be consistent across independent characterizations or observations of the observable object.
|
0 | 1 |
xsd:dateTime
|
xsd:dateTime
|
|
| observable:parent | owl:ObjectProperty |
The process that created this process.
|
0 | 1 |
observable:ObservableObject
|
observable:ObservableObject
|
|
| observable:pid | owl:DatatypeProperty |
The Process ID, or PID, of the process.
|
0 | 1 |
xsd:integer
|
xsd:integer
|
|
| observable:status | owl:DatatypeProperty |
Specifies a list of statuses for a given Whois entry.
|
0 | 1 |
xsd:string
|
owl:Thing | |
@prefix core: <https://unifiedcyberontology.org/ontology/uco/core#> .
@prefix observable: <https://unifiedcyberontology.org/ontology/uco/observable#> .
@prefix owl: <http://www.w3.org/2002/07/owl#> .
@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
@prefix sh: <http://www.w3.org/ns/shacl#> .
@prefix types: <https://unifiedcyberontology.org/ontology/uco/types#> .
@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
observable:ProcessFacet a owl:Class,
sh:NodeShape ;
rdfs:label "ProcessFacet"@en ;
rdfs:comment "A process facet is a grouping of characteristics unique to an instance of a computer program executed on an operating system."@en ;
rdfs:subClassOf core:Facet ;
sh:property [ sh:class observable:ObservableObject ;
sh:maxCount 1 ;
sh:nodeKind sh:BlankNodeOrIRI ;
sh:path observable:binary ],
[ sh:class observable:ObservableObject ;
sh:maxCount 1 ;
sh:nodeKind sh:BlankNodeOrIRI ;
sh:path observable:creatorUser ],
[ sh:class observable:ObservableObject ;
sh:maxCount 1 ;
sh:nodeKind sh:BlankNodeOrIRI ;
sh:path observable:parent ],
[ sh:class types:Dictionary ;
sh:maxCount 1 ;
sh:nodeKind sh:BlankNodeOrIRI ;
sh:path observable:environmentVariables ],
[ sh:datatype xsd:boolean ;
sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:path observable:isHidden ],
[ sh:datatype xsd:dateTime ;
sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:path observable:exitTime ],
[ sh:datatype xsd:dateTime ;
sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:path observable:observableCreatedTime ],
[ sh:datatype xsd:integer ;
sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:path observable:exitStatus ],
[ sh:datatype xsd:integer ;
sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:path observable:pid ],
[ sh:datatype xsd:string ;
sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:path observable:currentWorkingDirectory ],
[ sh:datatype xsd:string ;
sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:path observable:status ],
[ sh:datatype xsd:string ;
sh:nodeKind sh:Literal ;
sh:path observable:arguments ] ;
sh:targetClass observable:ProcessFacet .