🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Process Trees

events process events


Process Event Trees in Secureworks® Taegis™ XDR help you see the events around the impact event of an alert. Explore the process events that occurred within a specified time around the impact event. Capabilities of the process trees include the ability to select processes to add to a new or an existing investigation, pivot searching off of the host ID, the ability to search for related events, and a view into if the process and user have elevated privileges.

Event Process Trees

Event Process Trees

Use the arrows to the left of the rows to expand and hide parts of the process tree. Use the arrows to the right of a row to expand individual processes. If the user or process has elevated privileges, a red icon appears in the associated column.

Note

All event process data associated to a host that has been impacted by an alert is kept available in the process trees view for 30 days after the impact event. After that, a pruned version of the tree is kept available indefinitely that displays only the direct ancestors and descendants of the impact event.

View an Alert’s Process Tree

Note

You must select a tenant to display related events in process trees.

To view process trees related to an alert:

  1. Select the alert you want to view event processes for.

  2. Commandline data is displayed in the Process Data section.

Process Data on Alert Details Page

Process Data on Alert Details Page

  1. To view events related to the alert, open the Events tab. Open a process event to view its details, including the process tree.

  2. Run searches for related events by selecting the event type in the Related Events section.

Process Tree Details and Related Events

Process Tree Details and Related Events

Tip

Copy the process tree as text to paste elsewhere by selecting Copy above the process tree.

Pivot Search by the Username

View the asset details and alerts related to the username associated with the impact event.

  1. View the process tree and expand a part of the tree.

  2. Select the magnifying glass magnifying glass icon next to the username.

  3. A pivot search for the username appears, with related alerts, events, and agents.

Alerts Related to the Username

Alerts Related to the Username

See Related Alerts and Events Timeline View for information on how to view other alerts and events related to the current Process Event.

Process Event Details Panel

The Process Event Details Panel includes the following data, if available:

 

On this page: