Select and deselect checkboxes next to event types to sort the events that display in the timeline and table. Only selected events will appear.

The following event types appear:

  • Filemods – The number of files that were modified by process executions. Color-coded as yellow.
  • Regmods – The number of Windows registry modifications that were made by processes executions. Color-coded as blue.
  • Netconns – The number of network connections that process executions either attempted or established. Color-coded as purple.
  • Modloads – The number of modules that were loaded by process executions. Color-coded as green.
  • Processes/Child Processes – The number of child processes that were generated from process executions. Color-coded as orange.
  • Fileless Scriptloads – The fileless_scriptload event represents each occasion when the sensor detected PowerShell script content that was executed by any process on a supported endpoint.
  • Custom – A custom event that you can create using the Add Custom Event option in the Actions menu. Color-coded as black.
  • Cross Processes – (Windows only) A process that crosses the security boundary of another process. Color-coded as red.
  • Blocked – Represents events that are related to the Ban Hash functionality (see Banning Process Hashes). If an administrator bans a hash and the sensor sees that binary and tries to stop it (already running) or prohibits it from running (blocks it), then the sensor generates a Blocked event. Color-coded as brown.
  • EMET – Represents a specific type of event that deals with the Microsoft Enhanced Mitigation Experience Toolkit (EMET) software. Color-coded as gray.
  • Posix_Exec – (macOS and Linux only) The instance’s process that is loaded and the new binary image. Color-coded as green.
  • Fork – (macOS and Linux only) The instance’s parent process, forked with a different Process ID (PID). Color-coded as yellow orange.