This topic describes process event filters on the Process Analysis page.

Filters display in a scrollable list to the left of the Events List. To hide or show the filters list, click the expand button to the left of the list.

The events list displaying the option to hide or show filters

Process event filters provide a further refinement of the displayed data on the Process Analysis page.

Filter rows can show the number of events that match that value. Click the Reset button to reset all filters to their original state.

The following table describes each filter (in alphabetical order).

Filter

Description

Childproc filepath

Paths to child processes that were created by this process.

Childproc md5

MD5 files of child processes that were created by this process.

Childproc sha-256

SHA-256 of child processes that were created by this process.

Directory

The directories that this process uses.

Domain

The domain (DNS) names that are associated with network connections that were made by this process.

Event type

Shows process event types. See See Process Event Types for more details.

  • filemod – file modifications

  • modload – number of modules loaded

  • regmod – (Windows only) registry modifications

  • netconn – number of network connections enabled

  • childproc – child processes

  • fork – (macOS and Linux only) fork processes

  • posix_exec – (macOS and Linux only) posix_exec processes

  • crossproc – (Windows only - not supported on Windows XP/2003) cross processes

  • blocked – process blocked due to ban

  • emet – (Windows only) EMET mitigation

Fileless script load SHA-256

The fileless_scriptload event represents each occasion when the sensor detected PowerShell script content that was executed by any process on a supported endpoint.

FileMod action

The types of file modifications that occurred during the execution of this process (create, delete, first write, last write), and the number of times those actions occurred.

FileMod file type

The types of files that were modified.

IP address

The IP addresses that are associated with network connections that were made by this process.

JA3

JA3 fingerprint of the client TLS hello packet.

JA3S

JA3S fingerprint of the server TLS hello packet.
Netconn Block Type The classification of the network connection attempt. This is a sub-field of a netconn event.
  • Blocked due to isolation – The network connection attempt was blocked due to the endpoint being in Isolation (Type 1).
  • Not blocked – The network connection attempt was successful (Type 0).

RegMod action

(Windows only) The type of registry modification (created, deleted key, deleted value, first write, last write).

RegMod hive

The location of the registry that is associated with registry modification events.