PROCESS_SUMMARY_V View
This view provides a historical summary of processes with some aggregation.
Lacework continuously monitors for processes in your environment and returns a row in the PROCESS_SUMMARY_V view when Lacework detects a new key. For this view, a key is generated from the MID (machine id), PID, PPID, START_TIME, and END_TIME. Note that the process rows are aggregated hourly. For example, if the same key is detected twice between 1:00 AM (START_TIME) and 1:59 AM (END_TIME), only one row is returned for this hour. For the next hour, the START_TIME (2:00 AM) and END_TIME (2:59 AM) are different so if the same process is detected again, a new row is returned because the key is different.
Each row contains process information as listed in the columns.
| Column Name | Data Type | Description |
|---|---|---|
| START_TIME | Timestamp | The time and date when the hourly aggregation time period starts. |
| END_TIME | Timestamp | The time and date when the hourly aggregation time period ends. |
| MID | Number | The Lacework-generated machine identifier for the system where the process is running. |
| PID | Number | The number that uniquely identifies the process. |
| PPID | Number | The parent PID of the process that started this process. |
| USERNAME | Text | The username that started the process. |
| UID | Number | The Linux unique identifier associated with the user on this machine. |
| FILE_PATH | Text | The full directory path to a file. |
| CMDLINE_HASH | Text | The hash generated by hashing the command line name. |
| POD_NAME | Text | The name of a pod. A pod is a group of containers. |
| PROCESS_START_TIME | Timestamp | The actual time when the process starts. |
| CONTAINER_ID | Text | The container id the process is running under. |