This view is available with Lacework data share v.1 and later.
This view provides a historical summary of processes with some aggregation.
Lacework continuously monitors for processes in your environment and returns a row in the PROCESS_SUMMARY_V view when Lacework detects a new key. For this view, a key is generated from the MID (machine id), PID, PPID, START_TIME, and END_TIME. Note that the process rows are aggregated hourly. For example, if the same key is detected twice between 1:00 AM (START_TIME) and 1:59 AM (END_TIME), only one row is returned for this hour. For the next hour, the START_TIME (2:00 AM) and END_TIME (2:59 AM) are different so if the same process is detected again, a new row is returned because the key is different.
Each row contains process information as listed in the columns.
|Column Name||Data Type||Description|
|START_TIME||Timestamp||The time and date when the hourly aggregation time period starts.|
|END_TIME||Timestamp||The time and date when the hourly aggregation time period ends.|
|MID||Number||The Lacework-generated machine identifier for the system where the process is running.|
|PID||Number||The number that uniquely identifies the process.|
|PPID||Number||The parent PID of the process that started this process.|
|USERNAME||Text||The username that started the process.|
|UID||Number||The Linux unique identifier associated with the user on this machine.|
|FILE_PATH||Text||The full directory path to a file.|
|CMDLINE_HASH||Text||The hash generated by hashing the command line name.|
|POD_NAME||Text||The name of a pod. A pod is a group of containers.|
|PROCESS_START_TIME||Timestamp||The actual time when the process starts.|
|CONTAINER_ID||Text||The container id the process is running under.|