On the Services tab, the middle pane displays all the services associated with the selected scope. The number with a red circle indicates the number of alarms for that service. The right pane displays Behaviors, Members, and Rules tabs. By default, you see the Behaviors tab. Behaviors are process executions (CLIs) and network activities (inbound and outbound connections) exhibited within a service.

Click the name of the behavior card and view the behavior details like MD5, process path, SHA256, and CLI details.

Hash is considered as MD5 + SHA256. Process path is wild carded automatically when the process path for the same hash changes multiple times and goes beyond a configurable threshold. Same hash can contain the process name, process folder name or both.

You can view the wildcard settings under the Settings page. For details, refer to Allowed Behavior Settings.