capa/tests/fixtures/matcher/dynamic/process.yml

- name: process-scope-basic
  description: process scope matches features aggregated across threads
  rules:
    - name: process-apis
      scopes:
        dynamic: process
      features:
        - and:
            - api: CreateFileW
            - api: WriteFile
  features: |
    proc: sample.exe (pid=3052)
     thread: 3064
      call: 1: api(CreateFileW)
     thread: 3065
      call: 2: api(WriteFile)
  expect:
    matches:
      process-apis:
        - "process{pid:3052}"

- name: process-scope-no-match
  description: process scope does not match when features are split across processes
  rules:
    - name: process-split
      scopes:
        dynamic: process
      features:
        - and:
            - api: CreateFileW
            - api: WriteFile
  features: |
    proc: sample.exe (pid=3052)
     thread: 3064
      call: 1: api(CreateFileW)
    proc: other.exe (pid=3053)
     thread: 4000
      call: 2: api(WriteFile)
  expect:
    matches: {}