Investigate and analyze the details of all processes that have run in your environment.
Note: The
Processes and
Auth Events tabs are only available for
Carbon Black Cloud Enterprise EDR only customers.
On the left navigation pane, click Investigate and click the Processes tab.
Tip: You can also use the
Processes Search API to search through all the data that is reported by your sensors to find one or more processes based on the specific criteria you set.
Search Results
Use the in-product Search Guide to access a full list of available search terms to help you create advanced queries.
Results for each process include:
- The latest sensor event and analytics
- Each time a sensor terminated or denied the process
- Each time an event matched a subscribed watchlist
Process Details and Actions
Click the caret to open up additional process, observations, or event information in the right-side panel.
- Click the dropdown arrow next to the process name to take action on the process.
- Click More to view additional device details and take action on the device.
Badge indicators can appear next to the process name in the table. Indicators include:
- Watchlist Hit: The process has associated watchlist hits. Click the badge for additional information.
- Alert: The process has associated alerts. Click the badge for additional information about the highest severity alert. Click the link to view all alerts with the associated process to view on the Alerts page.
- Policy Deny: A policy action has been taken to keep the process alive, but to deny further operation. This sometimes occurs when the process is denied from loading a banned DLL. Sometimes, this is the case when the process tried to start another process.
- Policy Terminate: A policy action has been taken to terminate the process.
Title | Description |
---|---|
Process | The name and path of the process. Click the hyperlinked name to see a visualization of the network connection on the process tree. |
Device | The registered name of the device. |
Device Time | The device-time of the latest event in a given process segment. |
PID | The unique process identifier as defined by the OS. |
Username | User context in which the process was executed. |
Regmods | The total number of registry modifications associated with the process. |
Filemods | The total number of file modifications associated with the process. |
Netconns | The total number of network connections associated with the process. |
Modloads | The total number of module loads associated with the process. |
Childprocs | The total number of child processes ssociated with the process. |