Investigate: Hosts View - Process Tab

Document created by RSA Information Design and Development on Mar 2, 2018Last modified by RSA Information Design and Development on Sep 11, 2018
Version 8Show Document
  • View in full screen mode
 

Note: The information in this topic applies to RSA NetWitness® Platform Version 11.1 and later.

The Process panel provides a list of processes running on the host. To access this tab, select a host from the Hosts view and click the Process tab.

Workflow

high-level Investigate workflow with Investigate Endpoints and associated actions highlighted

What do you want to do?

                                                     
User RoleI want to ...Show me how
Threat Hunter

browse event metadata

Begin an Investigation in the Navigate or Events View

Threat Hunter

browse raw events

Begin an Investigation in the Navigate or Events View

Threat Hunter

analyze raw events and metadata

Begin an Investigation in the Event Analysis View

Threat Hunterinvestigate endpoints (Version 11.1)*Investigate Hosts

Threat Hunter

find suspicious endpoint files (Version 11.1)

Investigate Files

Threat Hunterscan files and events for malwareConducting Malware Analysis

Incident Responder

triage an incident in Investigate

NetWitness Respond User Guide

Threat Hunterview the processes running on the host* Investigate Hosts

*You can perform this task in the current view.

Related Topics

Quick Look

Below is an example of the Process tab:

Process tab

The Process panel displays the following information under Process Details:

                                           
FieldDescription
Process NameName of the process. For example, server.exe.
PIDID of the process. For example, 492.
Parent Process (PPID)Name and process ID of the parent. For example, 4.
OwnerOwner of the process. For example, SYSTEM.

Signature

Indicates if the file is signed or unsigned, valid or invalid, and provides signatory information.

Path

Path of the file associated with the process on the disk. For example, C:\Windows\System32.

Launch Arguments

Command line arguments passed to the process when it is launched. For example, -k LocalServiceNoNetwork.

Creation Time

Time when the process was created. For example, 01/19/2018 11:32:29.908 am.

  • List of loaded libraries for the selected process, such as DLLs (for Windows), Dylibs (for Mac), or .SO (for Linux).
  • List of autoruns (if configured).

Process Properties Panel

This panel displays all properties of the selected process. It is grouped as follows:

                                       
CategoryDescription
General
  • General information about the file, such as file name, entropy, size, and format.
  • SignatureProvides signatory information.
    HashHash type of the file (MD5, SHA1, and SHA256).
    TimeTime when the file was created, modified, or accessed.
    LocationLocation of the file.
    ProcessDetails of the process, such as image size and PID.

    Image

    Image details loaded by the process.

    You are here
    Table of Contents > Investigate Reference Materials > Hosts View - Process Tab

    Attachments

      Outcomes