Exploring endpoint processes and events

You can inspect and investigate endpoint data after you make a live connection or capture a snapshot.

Search for events

Search endpoint data for events using various parameters and operands. The search section displays all times in the UTC time standard.

  1. Open the events grid on a live connection or snapshot.

    For live connections:

    1. From the Trace home page, go to Live Endpoints.
    2. For an active connection, click the Computer Name.
    For snapshots:
    1. From the Trace home page, go to Saved Evidence > Snapshots.
    2. Click the caret to expand the list of available snapshots.
    3. Click the snapshot name or date.

  2. (Optional) Click an Explore By button.
  3. (Optional) Click a quick Date Range button.
  4. Select a parameter from the drop-down list.

    Each exploration button changes what options are available; such as process path, IP address, operation, event type, hash, signature, key value, and more.

  5. Select an operand from the drop-down list.
  6. Enter the search information.
  7. (Optional) Click Add to create a complex search expression.

    Use Add to connect multiple words if you are searching for command-line events.

    You can change search entries by clicking the entry and then clicking Update.
  8. Click Search.
  9. (Optional) Click Export to Excel to share your search results.

The results and a count are shown below the search expression.

To view details about a process, click the process of interest. A page of detailed information appears. The information includes a timeline and a history table. The timeline represents the duration of the process from creation to termination and plots each of the events that occurred within the context of the process.

The Detailed Process History table includes information about the timestamp, item type, operation, and operand. Additional process information appears, including:

  • Process path
  • Command line
  • Hash
  • Parent command line
  • Process ID
  • Parent process ID
  • Time of the event
  • User

View event distribution

You can compare all of the events on an endpoint by count to understand which event types are consuming the most space. The results of this comparison help you to decide which events to filter out. All of the records in the database on the specific endpoint appear, limited by the maximum size or days configured.

  1. Open the events grid on a live connection or snapshot.

    For live connections:

    1. From the Trace home page, go to Live Endpoints.
    2. For an active connection, click the Computer Name.
    For snapshots:
    1. From the Trace home page, go to Saved Evidence > Snapshots.
    2. Click the caret to expand the list of available snapshots.
    3. Click the snapshot name or date.

  2. Click Event Distribution.
  3. Review the events.
    • Click Sort By Count to reorder the events.
    • Hover over a bar to see the exact number of events.
  4. When you are done, click OK.

Filter the Events grid

Trace provides detailed information with extensive capabilities for sorting and filtering events. The events grid is available on live endpoint connections and snapshots.

Use the exploration buttons to sort events by type: Combined, Driver, File, Network, Process, Registry, Security, DNS, and Image. The Combined view contains File, Network, Process, Registry, DNS, and Image events. The Combined view does not include Driver or Security events.

You can further limit the dataset by selecting one of the date range buttons for frequently used timeframes. If you need a different date range, create a search expression.

Figure  1:  Event search options

View Process and Event Details

Use the data visualization tools to interactively review endpoint events from timeline or relationship tree views.

When you double-click a search result, a page opens for the process that is responsible for the selected event. On this page, you can analyze the scope of a single process over time, rather than the scope of all events that match the initial search criteria. The Process Details page displays all of the file, network, registry, and child process activity that was initiated by the current process in both a visual timeline and a grid. This page also provides the full process image path and arguments, user context, hash, and parent command line.

You can open and close the Process Details section by clicking the caret (v). Clicking the caret twice collapses the process details further. For even more screen space, you can collapse the left navigation menu.

If the Process Details section contains question marks, it is possible that Trace has not been deployed when the process was launched or if your configuration does not use Sysmon.

Figure  2:  Process Details section closed

Figure  3:  Process Details section open

You can see more details about the process history with the Event History tab.

Figure  4:  Example event history

View the Process Timeline

The process timeline shows the events over the lifetime of a process for inspection.

  1. Open the events grid on a live connection or snapshot.

    For live connections:

    1. From the Trace home page, go to Live Endpoints.
    2. For an active connection, click the Computer Name.
    For snapshots:
    1. From the Trace home page, go to Saved Evidence > Snapshots.
    2. Click the caret to expand the list of available snapshots.
    3. Click the snapshot name or date.

  2. Double-click a row to view the associated process details page.
  3. In the Process Visualizations section, click Timeline Timeline icon.

The Timeline view opens. You can zoom in and out with the scroll wheel of your mouse, click and drag, and double-click on events to change the view. For specific information, you can hover over an event.

Figure  5:  The process timeline

View the Process Tree

The Process Tree view provides a clickable tree view of network processes with layers of detailed information. The tree view displays the current process, parent, children, and peer nodes.

  1. Open the events grid on a live connection or snapshot.

    For live connections:

    1. From the Trace home page, go to Live Endpoints.
    2. For an active connection, click the Computer Name.
    For snapshots:
    1. From the Trace home page, go to Saved Evidence > Snapshots.
    2. Click the caret to expand the list of available snapshots.
    3. Click the snapshot name or date.

  2. Double-click a row to view the associated process details page.
  3. In the Process Visualizations section, click Tree Process tree icon.

The tree view opens. You can zoom in and out, click and drag, and double-click events to change the view.

Figure  6:  The process tree view with svchost.exe selected

You can isolate one of the processes in the tree view and quickly focus on an artifact for analysis.

Figure  7:  A closer look at a suspicious process

How reputation data works with Trace

Reputation data provides more insight into which evidence might be good candidates to save for further analysis and action. Through a Tanium Connect integration, Trace uses the reputation data from third-parties, such as VirusTotal or Palo Alto Networks WildFire, to provide an at-a-glance status for process and driver hashes.

Trace hash reputation data requires Connect version 4.1 or later. Configure at least one reputation source. For more information, see Tanium Connect User Guide: Configuring Reputation Data.

The hash at-a-glance indicator is available from the Event grid or from the Process Details page.

Figure  8:  Event grid with reputation service

A hash can have one of the following ratings:

  • Non-Malicious (Green)
  • Malicious (Red)
  • Suspicious (Yellow)
  • Unknown (Grey)
  • Pending ( )

Displaying the reputation coloring in the hash at-a-glance indicator requires the Connect Reputation Read privilege. This privilege is not included by default in Trace Administrator or Trace User roles.

Click a hash to open the Reputation Report Details. For VirusTotal reputation data, you can expand the details and see a color-coded list of sources that have assessed the hash.

Figure  9:  Example Reputation Report

Last updated: 8/1/2018 11:49 AM | Feedback