You can use command lines for processes referenced in events generated by agents. Although it is not part of the default Event Page views, a Command Line column can be added to the Events page by using the Show Columns panel.
When a process is associated with an agent-generated event, the
Command Line field shows the first 512 characters of the process command line.
The command line shows the process that attempted the action, not the file that was acted upon. In the preceding image, the first two lines show that execution of a script was blocked. In the first case, a user attempted to run the script from a command prompt. In the second case, the user double-clicked the script.
To capture command line data for actions that do not normally produce events, you can add a Custom Rule to report for those actions. On the Add Custom Rule page, select Advanced as the Rule Type, Execute (or Execute and Write) as the Operation, and Report Process Create as Execute Action. Enter the Process and Path or File information for the process that is created by the initiating process. Actions matching the rule report events (including command line information) upon process creation.
- Command line data can include sensitive information such as passwords. While the Command Line column heading displays to all users if it is added to a view, only users with specific permission will see any data in the column or in any data exported to a CSV file. This permission, which is called View process command lines, is not enabled by default for any of the console login account groups. See User Roles and Permissions for details about changing the permissions for a user account.
- This permission has no effect on events in Syslog. You can use a separate parameter on the System Configuration / Events page to add command line data to Syslog output (this is off by default).
- Live Inventory SDK output always includes command line data if available.
- The potential for revealing password data in this field should be kept in mind when using agent management commands. If you configured a password for these commands (as described in Configuring Agent Management Privileges), putting the command and password on one line means that the password is included in command line field for an event. VMware Carbon Black recommends that you enter the agent management command alone, and then provide the password at the prompt that follows.