The process summary information is located in the top panel of the Process Analysis page.
The process summary displays the following general process execution details:
Process: Identifies the main process for which the analysis is displayed.
Host: Identifies the host upon which the command was initiated.
User: Identifies the user who was logged in at the endpoint when the command was initiated.
Running: Identifies the state of the process. The state can be Running or Terminated.
Last Activity: The last time that the document was updated.
Duration: The number of hours that the process has been running.
Isolate Host: Click the Isolate host button to isolate an endpoint. The action presents an optional Description text box where you can note the reason for the activity.
For example, you might discover that suspicious files are executing on a particular endpoint and you want to prevent them from spreading to other endpoints in your network.
When an endpoint is isolated, connections to the Carbon Black EDR server (such as DHCP and DNS) are maintained, but all other connections are blocked or terminated. The user is not notified by Carbon Black EDR, but the endpoint will not work as expected.Note:The computer remains isolated until this option is disabled or the computer reboots. See Isolating an Endpoint.
To isolate an endpoint, you must be a Carbon Black EDR Global Administrator, a Carbon Black Hosted EDR Administrator, or a user on a team that has Analyst privileges for the endpoint to isolate.
Go Live: The Go Live button is useful when you are investigating an IOC. After you have identified an endpoint that has suspicious activity, you can directly access the content on that endpoint. You can open an interactive live session to the endpoint host and execute commands in real time to help isolate or eradicate the threat. See Using Live Response.
Actions: The Actions dropdown menu includes the following options:
Ban this hash – Creates a ban of the process. If process hash banning is enabled for a sensor group, hosts attempting to run this process will find it blocked, and any running instances of the process are terminated. See Banning Process Hashes.
Export events to CSV – Downloads a Report.zip archive to your local computer. The files contain the information in the Description fields for each Type filter that appears in the Results table at the bottom of the Process Analysis window. See Process Event Filters.
Share – Opens the Carbon Black EDR user’s default email client, creates an email, and includes the details from the summary.txt file (path, MD5, start timestamp, last updated timestamp, hostname, and full command line), and a URL that accesses the same page in which Share was clicked.