Process Name, Process Path, Process Key, Process Trust, and Process Threat

Several Process fields are used within events generated by the App Control Agent.

Most of them are similar to the File fields, except that they describe the running process that caused an event to be generated rather than the file that is the target of an action. For example, when a file execution is blocked and the “Execution block” event is generated, the event will include the Process Name field with the file name of the program that tried to launch the blocked file.

The Process field provides the full path and name of the process associated with the event and Process Prevalence lists the number of computers that have the process associated with an event.

Typically, the process fields appears in Discovery events or Policy Enforcement events but also can be part of certain subtypes of other event types.

If Carbon Black File Reputation data is enabled when the file event is generated, Process Trust and Process Threat information is included in the event if it is available.

Process Key is a unique, proprietary key identifying the instance of the process on a specific computer.

Note: A “Process” field (without any additional term) is also in events exported to Syslog and archives. This field contains the name and full path, and is used for compatibility with pre-7.2.0 agents and events. Another field, Process Hash, is exported only in archived events (see Archive Files).