Skip to content
  • There are no suggestions because the search field is empty.

Review Endpoint Alerts using Process Tree

Review Endpoint Alerts using Process TreeReview Endpoint Alerts using Process Tree

From version 12.0.0.0 and higher, the Alert details page for Endpoint alerts will show a process tree along with the details of Summary, Event details, Process details, etc.

After you filter the Endpoint alerts in the Alerts List view, you can go to the Alert Details view for more detailed information on the Endpoint alerts, to determine the action required. An alert contains one or more events. In the Alert Details view for Endpoint alerts, you can view the alert details in the form of a process tree and additional event details, process details and much more on the right panel. The following figure shows an example of the Alert Details view for Endpoint alerts.

netwitness_12.1_alertdetls_1122.png

The process tree on the Alert Details view provides a complete picture about where the suspicious/malicious file originated including the path in the form of a process tree.

netwitness_12.1_al_nodes_1122.png

The Details panel on the right has more information for an alert than the Overview panel in the Alerts List view.

netwitness_image_200x47.png - The file that caused the alert is outlined in red.

netwitness_selectednode_200x48.png - Selected file is outlined in blue.

netwitness_1_40x37.png - The file that caused the alert, and it is outlined in red. If you click on this file, the red outline will become blue to show it is selected.

netwitness_2_40x37.png - The file from which the suspicious/malicious file is originated.

netwitness_3_39x36.png - Investigate Timeline takes to the Investigate view for the selected alert.

netwitness_4_40x37.png - Summary shows a short description of the event.

netwitness_5_41x36.png - Event Details section provided a detailed information about the event that includes the Event Time, Target Filename, Tactic, Technique, Target User etc.

netwitness_6_41x36.png - Process Details section shows the Directory where the file is stored besides User name, Hash value, Risk score, Signature etc.

netwitness_7_41x36.png - Network Connections shows any network connection the selected file established since ten minutes before and till ten minutes after the alert triggered time. For example, if the alert was triggered at 16:00 hours, the network connections(if any)established by the selected file from 15:50 hours to 16:10 hours will be shown.

netwitness_8_42x37.png - Origin section shows how the selected file originated in the host.

netwitness_9_42x37.png - Exists on Hosts shows the list of hosts(with risk score) the selected file exists.

Process Details Section ValuesProcess Details Section Values

  • Name:

    Tactic

  • Description:

    Shows the tactic, as per MITRE ATT&CK framework, this attempt falls under.

  • Example:

    execution


  • Name: Technique
  • Description: Shows the technique, as per MITRE ATT&CK framework, this attempt falls under.
  • Example: masquerading

  • Name: Event Time
  • Description: Shows the event occurred time.
  • Example: