Getting Running Processes (SOAR Action in ServiceNow)

Use the Get Running Processes SOAR action to get a list of running processes on an endpoint (Device ID) that is associated with the alerts in the Security Incident related alert list.

This action can be run from an alert or a device.
The action can also be performed from the Affected CI from the related list of Security Incidents.
The action fetches the running process, child processes, and parent processes from the selected devices.
After successful execution of the action, or in case of any failure or exception, a work note will be captured.
Processes are displayed in the Running Processes table at the bottom of the Alert record page.
A reference to the alert is included. Use this reference to navigate from the running process record to and from its associated alert.