diff --git a/.chloggen/process_originevents.yaml b/.chloggen/process_originevents.yaml
new file mode 100644
index 0000000000..044ceec68c
--- /dev/null
+++ b/.chloggen/process_originevents.yaml
@@ -0,0 +1,22 @@
+# Use this changelog template to create an entry for release notes.
+#
+# If your change doesn't affect end users you should instead start
+# your pull request title with [chore] or use the "Skip Changelog" label.
+
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the area of concern in the attributes-registry, (e.g. http, cloud, db)
+component: process
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: add process.executable.origin_referrer_url and process.executable.origin_url
+
+# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists.
+# The values here must be integers.
+issues: [1517]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
diff --git a/docs/attributes-registry/process.md b/docs/attributes-registry/process.md
index 4ba9cdb3aa..1945e8f76e 100644
--- a/docs/attributes-registry/process.md
+++ b/docs/attributes-registry/process.md
@@ -26,6 +26,8 @@ An operating system process.
| `process.executable.build_id.go` | string | The Go build ID as retrieved by `go tool buildid `. | `foh3mEXu7BLZjsN9pOwG/kATcXlYVCDEFouRMQed_/WwRFB1hPo9LBkekthSPG/x8hMC8emW2cCjXD0_1aY` |  |
| `process.executable.build_id.htlhash` | string | Profiling specific build ID for executables. See the OTel specification for Profiles for more information. | `600DCAFE4A110000F2BF38C493F5FB92` |  |
| `process.executable.name` | string | The name of the process executable. On Linux based systems, can be set to the `Name` in `proc/[pid]/status`. On Windows, can be set to the base name of `GetProcessImageFileNameW`. | `otelcol` |  |
+| `process.executable.origin_referrer_url` | string | The URL of the webpage that linked to the process's executable file. [2] | `http://example.com/article1.html` |  |
+| `process.executable.origin_url` | string | The URL where the process's executable file is hosted. [3] | `http://example.com/files/example.exe` |  |
| `process.executable.path` | string | The full path to the process executable. On Linux based systems, can be set to the target of `proc/[pid]/exe`. On Windows, can be set to the result of `GetProcessImageFileNameW`. | `/usr/bin/cmd/otelcol` |  |
| `process.exit.code` | int | The exit code of the process. | `127` |  |
| `process.exit.time` | string | The date and time the process exited, in ISO 8601 format. | `2023-11-21T09:26:12.315Z` |  |
@@ -43,17 +45,21 @@ An operating system process.
| `process.saved_user.id` | int | The saved user ID (SUID) of the process. | `1002` |  |
| `process.saved_user.name` | string | The username of the saved user. | `operator` |  |
| `process.session_leader.pid` | int | The PID of the process's session leader. This is also the session ID (SID) of the process. | `14` |  |
-| `process.title` | string | Process title (proctitle) [2] | `cat /etc/hostname`; `xfce4-session`; `bash` |  |
+| `process.title` | string | Process title (proctitle) [4] | `cat /etc/hostname`; `xfce4-session`; `bash` |  |
| `process.user.id` | int | The effective user ID (EUID) of the process. | `1001` |  |
| `process.user.name` | string | The username of the effective user of the process. | `root` |  |
-| `process.vpid` | int | Virtual process identifier. [3] | `12` |  |
+| `process.vpid` | int | Virtual process identifier. [5] | `12` |  |
| `process.working_directory` | string | The working directory of the process. | `/root` |  |
**[1] `process.args_count`:** This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.
-**[2] `process.title`:** In many Unix-like systems, process title (proctitle), is the string that represents the name or command line of a running process, displayed by system monitoring tools like ps, top, and htop.
+**[2] `process.executable.origin_referrer_url`:** This information comes from metadata or alternate data streams linked to the process's executable file. `process.executable.origin_url` represents the URL from which the file was downloaded, and `process.executable.origin_referrer_url` indicates the URL of the page where that URL was listed. There may be cases where both `process.executable.origin_url` and `process.executable.origin_referrer_url` exist, or only one of them is present. Note that the URL itself may contain sensitive information.
-**[3] `process.vpid`:** The process ID within a PID namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within.
+**[3] `process.executable.origin_url`:** This information comes from metadata or alternate data streams linked to the process's executable file. `process.executable.origin_url` represents the URL from which the file was downloaded, and `process.executable.origin_referrer_url` indicates the URL of the page where that URL was listed. There may be cases where both `process.executable.origin_url` and `process.executable.origin_referrer_url` exist, or only one of them is present. Note that the URL itself may contain sensitive information.
+
+**[4] `process.title`:** In many Unix-like systems, process title (proctitle), is the string that represents the name or command line of a running process, displayed by system monitoring tools like ps, top, and htop.
+
+**[5] `process.vpid`:** The process ID within a PID namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within.
---
@@ -79,9 +85,9 @@ Describes Linux Process attributes
| Attribute | Type | Description | Examples | Stability |
|---|---|---|---|---|
-| `process.linux.cgroup` | string | The control group associated with the process. [4] | `1:name=systemd:/user.slice/user-1000.slice/session-3.scope`; `0::/user.slice/user-1000.slice/user@1000.service/tmux-spawn-0267755b-4639-4a27-90ed-f19f88e53748.scope` |  |
+| `process.linux.cgroup` | string | The control group associated with the process. [6] | `1:name=systemd:/user.slice/user-1000.slice/session-3.scope`; `0::/user.slice/user-1000.slice/user@1000.service/tmux-spawn-0267755b-4639-4a27-90ed-f19f88e53748.scope` |  |
-**[4] `process.linux.cgroup`:** Control groups (cgroups) are a kernel feature used to organize and manage process resources. This attribute provides the path(s) to the cgroup(s) associated with the process, which should match the contents of the [/proc/\[PID\]/cgroup](https://man7.org/linux/man-pages/man7/cgroups.7.html) file.
+**[6] `process.linux.cgroup`:** Control groups (cgroups) are a kernel feature used to organize and manage process resources. This attribute provides the path(s) to the cgroup(s) associated with the process, which should match the contents of the [/proc/\[PID\]/cgroup](https://man7.org/linux/man-pages/man7/cgroups.7.html) file.
## Deprecated Process Attributes
diff --git a/model/process/registry.yaml b/model/process/registry.yaml
index 4e2c32e4f1..f594255513 100644
--- a/model/process/registry.yaml
+++ b/model/process/registry.yaml
@@ -76,6 +76,30 @@ groups:
be set to the target of `proc/[pid]/exe`. On Windows, can be set to the
result of `GetProcessImageFileNameW`.
examples: ['/usr/bin/cmd/otelcol']
+ - id: process.executable.origin_referrer_url
+ type: string
+ stability: experimental
+ brief: >
+ The URL of the webpage that linked to the process's executable file.
+ note: >
+ This information comes from metadata or alternate data streams linked to the process's executable file.
+ `process.executable.origin_url` represents the URL from which the file was downloaded, and
+ `process.executable.origin_referrer_url` indicates the URL of the page where that URL was listed.
+ There may be cases where both `process.executable.origin_url` and `process.executable.origin_referrer_url`
+ exist, or only one of them is present. Note that the URL itself may contain sensitive information.
+ examples: ['http://example.com/article1.html']
+ - id: process.executable.origin_url
+ type: string
+ stability: experimental
+ brief: >
+ The URL where the process's executable file is hosted.
+ note: >
+ This information comes from metadata or alternate data streams linked to the process's executable file.
+ `process.executable.origin_url` represents the URL from which the file was downloaded, and
+ `process.executable.origin_referrer_url` indicates the URL of the page where that URL was listed.
+ There may be cases where both `process.executable.origin_url` and `process.executable.origin_referrer_url`
+ exist, or only one of them is present. Note that the URL itself may contain sensitive information.
+ examples: ['http://example.com/files/example.exe']
- id: process.command
type: string
stability: experimental