diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 39f80047af3..809ba6207ce 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -166,6 +166,7 @@ Setting environmental variable ELASTIC_NETINFO:false in Elastic Agent pod will d
 
 - Add `ignore_errors` option to audit module. {issue}15768[15768] {pull}36851[36851]
 - Fix copy arguments for strict aligned architectures. {pull}36976[36976]
+- Add process capabilities to the process module. {issue}36404[36404] {pull}37303[37303]
 
 *Filebeat*
 
diff --git a/x-pack/auditbeat/module/system/process/process.go b/x-pack/auditbeat/module/system/process/process.go
index d2dfae06598..69a74f41d02 100644
--- a/x-pack/auditbeat/module/system/process/process.go
+++ b/x-pack/auditbeat/module/system/process/process.go
@@ -101,12 +101,13 @@ type MetricSet struct {
 
 // Process represents information about a process.
 type Process struct {
-	Info     types.ProcessInfo
-	UserInfo *types.UserInfo
-	User     *user.User
-	Group    *user.Group
-	Hashes   map[hasher.HashType]hasher.Digest
-	Error    error
+	Info           types.ProcessInfo
+	UserInfo       *types.UserInfo
+	User           *user.User
+	Group          *user.Group
+	CapabilityInfo *types.CapabilityInfo
+	Hashes         map[hasher.HashType]hasher.Digest
+	Error          error
 }
 
 // Hash creates a hash for Process.
@@ -353,6 +354,17 @@ func (ms *MetricSet) processEvent(process *Process, eventType string, action eve
 		},
 	}
 
+	if process.CapabilityInfo != nil {
+		if len(process.CapabilityInfo.Effective) > 0 {
+			event.RootFields.Put("process.thread.capabilities.effective",
+				process.CapabilityInfo.Effective)
+		}
+		if len(process.CapabilityInfo.Permitted) > 0 {
+			event.RootFields.Put("process.thread.capabilities.permitted",
+				process.CapabilityInfo.Permitted)
+		}
+	}
+
 	if process.UserInfo != nil {
 		putIfNotEmpty(&event.RootFields, "user.id", process.UserInfo.UID)
 		putIfNotEmpty(&event.RootFields, "user.group.id", process.UserInfo.GID)
@@ -488,6 +500,13 @@ func (ms *MetricSet) getProcesses() ([]*Process, error) {
 			process.UserInfo = &userInfo
 		}
 
+		if capIface, ok := sysinfoProc.(types.Capabilities); ok {
+			process.CapabilityInfo, err = capIface.Capabilities()
+			if err != nil && process.Error == nil {
+				process.Error = fmt.Errorf("failed to load capabilities for PID %d: %w",
+					sysinfoProc.PID(), err)
+			}
+		}
 		// Exclude Linux kernel processes, they are not very interesting.
 		if runtime.GOOS == "linux" && userInfo.UID == "0" && process.Info.Exe == "" {
 			continue