The following table shows different types of details that display for each type of event.

Event Type

Details

blocked

The path and hash of a process that is blocked by a Carbon Black EDR process hash ban. When expanded, metadata for the process and its binary appear:

  • Process metadata – when the process was terminated, username of the user attempting to run the process, process MD5, command line path for the process.

  • Binary metadata – SHA-256 hash (if available), company name, product name, product description, signature status, publisher.

childproc

  • The number of endpoints that have observed the MD5 in the description and the number of processes in which the MD5 was observed. Lists the names of the processes.

  • Process metadata – The length of time for which the process was active, and when the process execution occurred, username of the user who is executing the process, MD5 hash, SHA-256 hash (if available), and the command line of the process executable file.

  • Binary information – SHA-256 hash (if available), company name, product name, product description, signature status, and publisher.

  • If the child process is suppressed due to Retention Maximization, then it also shows the username and command line. You choose maximization levels in the Edit Group Settings and Create Group pages. See Advanced Settings. This image shows suppressed vs. unsuppressed child processes. Suppressed child processes are labeled Suppressed in the process tree. You can discover whether a childproc in the Event List is suppressed by expanding its details.

  • The process tree shows a maximum of 15 child processes: either 15 unsuppressed, 15 suppressed, or 15 of both types.

  • For processes that have more than 15 unsuppressed and 15 suppressed child processes, the tree shows unsuppressed processes first, and then suppressed processes, until a total of 15 child processes appear in the tree.

crossproc

Windows only (not supported on Windows XP/2003): Shows occurrences of processes that cross the security boundary of other processes:

  • Description of the OpenProcess API call for the cross process. Carbon Black EDR records all OpenProcess API calls that request PROCESS_CREATE_PROCESS,PROCESS_CREATE_THREAD , PROCESS_DUP_HANDLE , PROCESS_SUSPEND_RESUME , PROCESS_VM_OPERATION , or PROCESS_VM_WRITE access rights. These access rights allow this process to change the behavior of the target process.

  • Process metadata – the length of time the cross process was active, username of the user who executed the process, MD5 hash, SHA-256 hash (if available), and the command line of the process executable file.

  • Binary metadata – SHA-256 hash (if available), the company name, product name, product description, signature status, and publisher.

emet

(Windows only) The EMET mitigation type reported when this process was invoked and the filename used in the attempt to run the process. Additional details include number of endpoints and processes that have seen the event, the time of the EMET mitigation, the EMET ID of the event, and any warnings. Output from EMET might provide additional details.
fileless scriptload (Windows only) The fileless_scriptload event represents each occasion when the sensor detected AMSI-decoded script content that was executed by any process on the endpoint. This content consists only of fileless script content that was not stored in a file on the file system when that content was executed.

When expanded, Fileless Script Load Metadata appears:

Fileless Script Load Metadata - SHA-256 hash (if available), Command length, and Command line.

Note: The Command line field can be expanded to view the full command if it is truncated.

filemod

The number of endpoints that have seen this file modification and the number of processes in which the file modification occurred on those endpoints.

fork

(macOS and Linux only) Indicates that this is a fork process and shows the instance’s parent process, forked with a different Process ID (PID).

When a process performs a fork() system call, all activity for that process continues to be associated with the parent. A new fork event type is displayed on the Process Analysis page of the parent, indicating that the parent process performed a fork. The PID of the forked process and the timestamp of when the fork occurred is recorded

modload

  • The number of endpoints that have seen the MD5 hash for the module that was loaded and the number of processes in which the MD5 appears on those endpoints.

  • Binary information – SHA-256 hash (if available), company name, product name, a description of the binary, signature status, and publisher

  • Carbon Black Threat Intel information – the source of the threat intelligence feed, a link to the report for the MD5 hash, the MD5 score, and the MD5 trust status.

netconn

The number of network connections that the execution of this process either attempted or established.

posix_exec

(macOS and Linux only) Indicates this is a posix_exec process and shows the instance’s process that is loaded and the new binary image.

If a process performs an exec() system call, a new process document will not be created. This activity will be reported as a new posix_exec event type within the process, and the process metadata will be updated to reflect the new image and command line associated with the exec() system call.

regmod

Windows sensors only. The number of endpoints that have seen a modification of a registry key, and the number of processes in which the registry modification occurred on those endpoints.