Hi, I am trying to capture process_events in Linux using the process_events table. Is it possible to identify from the event, that the process was started or terminated? As an example, I captured the following event, but there is no identifying information about the status of the process. OS used is CentOS7.

{
  "counter": 0,
  "unixTime": 1627455088,
  "atime": "1627454699",
  "auid": "1000",
  "btime": "0",
  "cmdline": "python3",
  "ctime": "1610552918",
  "cwd": "/",
  "egid": "0",
  "euid": "0",
  "fsgid": "0",
  "fsuid": "0",
  "gid": "0",
  "mode": "0100755",
  "mtime": "1605545975",
  "owner_gid": "0",
  "owner_uid": "0",
  "parent": "7041",
  "path": "/usr/bin/python3.6",
  "pid": "9888",
  "sgid": "0",
  "suid": "0",
  "syscall": "execve",
  "time": "1627454887",
  "uid": "0",
  "uptime": "16902318"
}

A bit of a late answer, but osquery currently doesn't track the

exit

syscall, so every process event you see is about a process starting.

Thanks a lot for answering this Stefano.