add origin_referrer_url and origin_url to the process attribute

.chloggen/process_originevents.yaml

@@ -0,0 +1,22 @@
+# Use this changelog template to create an entry for release notes.
+#
+# If your change doesn't affect end users you should instead start
+# your pull request title with [chore] or use the "Skip Changelog" label.
+
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the area of concern in the attributes-registry, (e.g. http, cloud, db)
+component: process
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: add process.origin_referrer_url, process.origin_url, and process.zone_identifier
+
+# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists.
+# The values here must be integers.
+issues: [1517]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:

docs/attributes-registry/process.md

@@ -30,6 +30,8 @@ An operating system process.
 | <a id="process-exit-time" href="#process-exit-time">`process.exit.time`</a> | string | The date and time the process exited, in ISO 8601 format. | `2023-11-21T09:26:12.315Z` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
 | <a id="process-group-leader-pid" href="#process-group-leader-pid">`process.group_leader.pid`</a> | int | The PID of the process's group leader. This is also the process group ID (PGID) of the process. | `23` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
 | <a id="process-interactive" href="#process-interactive">`process.interactive`</a> | boolean | Whether the process is connected to an interactive shell. |  | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
+| <a id="process-origin-referrer-url" href="#process-origin-referrer-url">`process.origin_referrer_url`</a> | string | The URL of the webpage that linked to the process's executable file. [2] | `http://example.com/article1.html` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
+| <a id="process-origin-url" href="#process-origin-url">`process.origin_url`</a> | string | The URL where the process's executable file is hosted. [3] | `http://example.com/files/example.exe` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
 | <a id="process-owner" href="#process-owner">`process.owner`</a> | string | The username of the user that owns the process. | `root` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
 | <a id="process-paging-fault-type" href="#process-paging-fault-type">`process.paging.fault_type`</a> | string | The type of page fault for this data point. Type `major` is for major/hard page faults, and `minor` is for minor/soft page faults. | `major`; `minor` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
 | <a id="process-parent-pid" href="#process-parent-pid">`process.parent_pid`</a> | int | Parent Process identifier (PPID). | `111` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
@@ -42,17 +44,22 @@ An operating system process.
 | <a id="process-saved-user-id" href="#process-saved-user-id">`process.saved_user.id`</a> | int | The saved user ID (SUID) of the process. | `1002` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
 | <a id="process-saved-user-name" href="#process-saved-user-name">`process.saved_user.name`</a> | string | The username of the saved user. | `operator` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
 | <a id="process-session-leader-pid" href="#process-session-leader-pid">`process.session_leader.pid`</a> | int | The PID of the process's session leader. This is also the session ID (SID) of the process. | `14` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
-| <a id="process-title" href="#process-title">`process.title`</a> | string | Process title (proctitle) [2] | `cat /etc/hostname`; `xfce4-session`; `bash` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
+| <a id="process-title" href="#process-title">`process.title`</a> | string | Process title (proctitle) [4] | `cat /etc/hostname`; `xfce4-session`; `bash` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
 | <a id="process-user-id" href="#process-user-id">`process.user.id`</a> | int | The effective user ID (EUID) of the process. | `1001` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
 | <a id="process-user-name" href="#process-user-name">`process.user.name`</a> | string | The username of the effective user of the process. | `root` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
-| <a id="process-vpid" href="#process-vpid">`process.vpid`</a> | int | Virtual process identifier. [3] | `12` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
+| <a id="process-vpid" href="#process-vpid">`process.vpid`</a> | int | Virtual process identifier. [5] | `12` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
 | <a id="process-working-directory" href="#process-working-directory">`process.working_directory`</a> | string | The working directory of the process. | `/root` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
+| <a id="process-zone-identifier" href="#process-zone-identifier">`process.zone_identifier`</a> | int | Windows Zone Identifier for the process's executable file. | `3` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
 
 **[1]:** This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.
 
-**[2]:** In many Unix-like systems, process title (proctitle), is the string that represents the name or command line of a running process, displayed by system monitoring tools like ps, top, and htop.
+**[2]:** This information comes from metadata or alternate data streams linked to the process's executable file. `process.origin_url` represents the URL from which the file was downloaded, and `process.origin_referrer_url` indicates the URL of the page where that URL was listed. There may be cases where both `process.origin_url` and `process.origin_referrer_url` exist, or only one of them is present. Note that the URL itself may contain sensitive information.
 
-**[3]:** The process ID within a PID namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within.
+**[3]:** This information comes from metadata or alternate data streams linked to the process's executable file. `process.origin_url` represents the URL from which the file was downloaded, and `process.origin_referrer_url` indicates the URL of the page where that URL was listed. There may be cases where both `process.origin_url` and `process.origin_referrer_url` exist, or only one of them is present. Note that the URL itself may contain sensitive information.
+
+**[4]:** In many Unix-like systems, process title (proctitle), is the string that represents the name or command line of a running process, displayed by system monitoring tools like ps, top, and htop.
+
+**[5]:** The process ID within a PID namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within.
 
 `process.context_switch_type` has the following list of well-known values. If one of them applies, then the respective value MUST be used; otherwise, a custom value MAY be used.
 

model/process/registry.yaml

@@ -116,6 +116,30 @@ groups:
         requirement_level:
           recommended: if `process.command_args` is populated.
         examples: [4]
+      - id: process.origin_referrer_url
+        type: string
+        stability: experimental
+        brief: >
+          The URL of the webpage that linked to the process's executable file.
+        note: >
+          This information comes from metadata or alternate data streams linked to the process's executable file.
+          `process.origin_url` represents the URL from which the file was downloaded, and `process.origin_referrer_url`
+          indicates the URL of the page where that URL was listed. There may be cases where both `process.origin_url`
+          and `process.origin_referrer_url` exist, or only one of them is present. Note that the URL itself may contain
+          sensitive information.
+        examples: ['http://example.com/article1.html']
+      - id: process.origin_url
+        type: string
+        stability: experimental
+        brief: >
+          The URL where the process's executable file is hosted.
+        note: >
+          This information comes from metadata or alternate data streams linked to the process's executable file.
+          `process.origin_url` represents the URL from which the file was downloaded, and `process.origin_referrer_url`
+          indicates the URL of the page where that URL was listed. There may be cases where both `process.origin_url`
+          and `process.origin_referrer_url` exist, or only one of them is present. Note that the URL itself may contain
+          sensitive information.
+        examples: ['http://example.com/files/example.exe']
       - id: process.owner
         type: string
         stability: experimental
@@ -241,3 +265,9 @@ groups:
               value: 'minor'
               stability: experimental
         stability: experimental
+      - id: process.zone_identifier
+        type: int
+        stability: experimental
+        brief: >
+          Windows Zone Identifier for the process's executable file. 
+        examples: 3