What is an Atom?

Atoms are Globally Unique Identifiers that look like this: 1e9e242a512d9a9b16d326ac30229e7b. You can treat an Atom as an opaque value. These unique values are used to relate events together without relying on clunky and unreliable things like Process IDs.

Atoms can be found in 3 locations:
routing/parent
routing/this
routing/target


The routing/this Atom represents the identifier for the current event. The routing/parent Atom links the global identifier for the parent event of the current event. Using these two Atoms, you can create an entire tree of events.

For a process this parent relationship is the parent process and child process (parent spawned child). For other types of events the nature of this relationship can vary. For example, for a NETWORK_SUMMARY event the parent is the process that generated the network connections.

If you are using your own storage and searching solution you will likely want to index the values of routing/this and routing/parent for each event. Indexing these events will allow you to quickly find the root cause and actions of everything on your hosts.

Finally, the routing/target is only sometimes found in an event and it represents a second related (without having a parent-child relationship). For example, in the NEW_REMOTE_THREAD event, this target represents the process where the remote thread was created.


Basic example:

Event 1
{ "routing": { "this": "zxcv", "parent": "poiuy" } }

 Event 2
{ "routing": { "this": "abcdef", "parent": "zxcv" } }

 Means that Event 1 is the parent of Event 2 (Event1 ---> Event2).