Select and deselect checkboxes next to event types to sort the events that display in the timeline and table. Only selected events will appear.

The following event types appear:

• Filemods – The number of files that were modified by process executions. Color-coded as yellow.
• Regmods – The number of Windows registry modifications that were made by processes executions. Color-coded as blue.
• Netconns – The number of network connections that process executions either attempted or established. Color-coded as purple.
• Modloads – The number of modules that were loaded by process executions. Color-coded as green.
• Processes/Child Processes – The number of child processes that were generated from process executions. Color-coded as orange.
• Fileless Scriptloads – The fileless_scriptload event represents each occasion when the sensor detected PowerShell script content that was executed by any process on a supported endpoint.
• Custom – A custom event that you can create using the Add Custom Event option in the Actions menu. Color-coded as black.
• Cross Processes – (Windows only) A process that crosses the security boundary of another process. Color-coded as red.
• Blocked – Represents events that are related to the Ban Hash functionality (see Banning Process Hashes). If an administrator bans a hash and the sensor sees that binary and tries to stop it (already running) or prohibits it from running (blocks it), then the sensor generates a Blocked event. Color-coded as brown.
• EMET – Represents a specific type of event that deals with the Microsoft Enhanced Mitigation Experience Toolkit (EMET) software. Color-coded as gray.
• Posix_Exec – (macOS and Linux only) The instance’s process that is loaded and the new binary image. Color-coded as green.
• Fork – (macOS and Linux only) The instance’s parent process, forked with a different Process ID (PID). Color-coded as yellow orange.