Event List

The Event List describes every recorded event that occurred inside the selected time range from the timeline.

When you first enter the Process Analysis page by choosing a Process Search result row, the selected row corresponds with a particular segment of the process. This selection affects the starting position of the Event List.

For example, a process shown in the Process Search result row might have three segments: 8:00, 9:00, and 10:00. If you choose the middle segment, the first row of the Event List displays the first event of the 9:00 segment. The timeline displays an orange triangle icon indicating that starting point.

If you expand, shrink, or move the timeline window, the window snaps to the nearest time segment boundary, and the Event List automatically scrolls to the first event of that time segment. The timeline displays a purple triangle icon indicating where that event is inside the process.

When you expand the timeline window, you increase the total number of events to display in the Event List. A 10-second timeout is in effect; this timeout only applies to the filters and process metadata. The events list will always show the true amount of events. If all filters and metadata for this timeline are not retrieved within 10 seconds, a message displays that the data is incomplete; to rectify this, reduce the size of the timeline window.

When you select a node in the Process Tree, the chosen segment becomes the first segment of the displayed process in the Event List.

You can set the number of events to view per page, and define whether to view earlier or later events.

The Event List shows the following details:


Heading	Description
Expand event >	Allows you to expand the event for additional data.
Tag	Shows if an event is tagged for an investigation. You can click the tag icon to select this event for a future investigation. After you select the tag icon, it turns blue to indicate that it is now included in an investigation.
Trusted Events	Shows if the event is trusted. When you click on the row, the trust information appears with a link to the source.
Threat Intelligence Feed Hits	Shows if this event has matched a threat intelligence feed.
Time	The time that the event occurred in Greenwich Mean Time (GMT).
Type	The process event type. For more details, see Process Event Types. crossproc (cross process) – appears with a red bar (Windows only - not supported on Windows XP/2003). child process (child process) – appears with an orange bar. fork (fork process) – appears with a yellow-orange bar (macOS and Linux only). filemod (file modification) – appears with a yellow bar. modload (number of modules loaded – appears with a green bar. posix_exec (posix_exec process) – appears with a blue green bar (macOS and Linux only). regmod (registry modification) – (Windows only) appears with a blue bar. netconn (number of network connections enabled) – appears with a purple bar. blocked (process blocked by hash ban) – appears with a brown bar. emet (EMET mitigation) – appears with a gray bar (Windows only).
Description	The operation that the Type event performed. See Process Event Types. The Description column can contain: filemod – “Deleted” or “Created” and then provide the path to the file that was modified. modload – The module that was loaded by the process. Modload descriptions can also include the path of the module that was loaded, if the module was signed or unsigned by the publisher, and the unique MD5 hash. regmod – The Windows registry key that was created or modified. netconn – The connection made, including the IP address (including hostname unless DNS resolution is excluded for the host), port, and protocol. childproc – The child process start time, end time, and PID of the selected parent process. fork – (macOS and Linux only) The instance’s parent process, forked with a different Process ID (PID). posix_exec – (macOS and Linux only) The instance’s loaded process and the new binary image. crossproc – (Windows only - not supported on Windows XP/2003) The action it performed; for example, opening a handle or starting or ending processes. blocked – Blocked events. These are associated with the banning functionality. emet – (Windows only) The EMET mitigation type reported when this process was invoked and the filename that was used in the attempt to run the process.
Search	Lets you reduce the number of events that display and focus the results based on terms entered into the Search box. For example, entering “Microsoft” into the Search box would display only Microsoft events.

When you expand an event by clicking the > on the left side of the row, details about the event appear. This example shows details for an event of the type netconn: