To search for process activity across clusters in Carbon Black EDR Unified View (multi-cluster context), click Process Search on the left navigation bar.

On the Process Search page, perform the search in the same way as you would for single-instance Carbon Black EDR. Results come from all included clusters in Carbon Black EDR Unified View, subject to any limitations imposed by the cluster user account whose API token was used for authentication. Each returned process search includes the cluster name and the sensor name.

In search results on the Process Search page, the following actions are available:

• To filter results to a specific cluster, click the name of the cluster using the Cluster filter in the left.
• To see details about a specific process, click the name of the process in the search results. The Process Analysis page displays a global-context view of process details.
• To see details about a sensor, click the name of the host in the Endpoint column for a returned process to display the single-cluster view of the cluster this host reports toThe Sensor Details page displays.
• To go to the Carbon Black EDR HUD page for one cluster (switching to single-cluster context), click the name of the cluster in the Endpoint column for a returned process.

Process Analysis

Carbon Black EDR Unified View displays the Process Analysis page in multi-cluster context, although the process details are cluster-specific. The page is similar to the Process Analysis page in single-cluster context, with the following exceptions:

• Searches initiated by clicking a link on the page are performed across clusters in Carbon Black EDR Unified View.
• Investigations are available in single-cluster context, but do not apply in multi-cluster context.
• Carbon Black EDR Go Live is unavailable. It is available in single-cluster context.