Using process tree view

In the Process Log tab, you can drill down to the process tree to see a visual representation and detailed information about a specific process and its related events. You can also isolate or unisolate a device and create an override for the file determination. See topics Creating a process override for more information.

To view the specific details of a process:

• In the Process Log table, click a link in the Process Name column to drill down to the process tree view. The Process Details pane displays information about the process that you selected.

  Note: You can also click any related events within the process tree to view its details.

  • Process Name — The process name as identified by the device operating system.

  • Determination — The file determination value (Good, Undetermined, or Bad).

  • Command args — The command arguments passed to the process when it was executed.

  • Elevation — The elevation privilege of the running process (user, limited, admin, or system).

  • MD5 — The MD5 hash of the file associated with the process.

  • Normalized process path — The normalized file path of the process.

  • Parent process guid — The unique GUID for the parent process data. This GUID tracks the process through its execution lifecycle.

  • PID — The ID assigned to the process by the device operating system upon execution.

  • Process path — The system path and filename of the file associated with the process.

  • Timestamp — The date and time associated with the receipt of the process execution event.

  • Username — The user or system account that executed the process.

  • SHA256 — The SHA256 hash of the file associated with the process.

You can customize the process tree view in any of the following ways:

• Use your mouse or scroll wheel within the view area to drag, pan out, and zoom in.

• Choose any of the controls in the process tree navigation bar.

  • Click to zoom in.

  • Click to zoom out.

  • Click to center the process tree within the view area.

  • Click to reset the process tree to its default view.

  • Switch between different process tree views.

    • Horizontal view aligns the process tree horizontally (default).

    • Vertical view aligns the process tree vertically.

    • Polar view displays all related processes stemming out from a central parent process.