Use the Get Running Processes SOAR action to get a list of running processes on an endpoint (Device ID) that is associated with the alerts in the Security Incident related alert list.

• This action can be run from an alert or a device.
• The action can also be performed from the Affected CI from the related list of Security Incidents.
• The action fetches the running process, child processes, and parent processes from the selected devices.
• After successful execution of the action, or in case of any failure or exception, a work note will be captured.
• Processes are displayed in the Running Processes table at the bottom of the Alert record page.
• A reference to the alert is included. Use this reference to navigate from the running process record to and from its associated alert.