The Process Behavior details page provides information about the file-executed system changes that occurred on an endpoint in sequential order. Symantec Endpoint Detection and Response also provides the attributes that are associated with each system change. A Process Behavior details page is only available when a process occurs on an endpoint and one or more events in the process are malicious.
To the right of the graphic is the following information:
The file's 256-bit secure hash value. Hover over this field to see the full hash value.
The name of the file as it appears on the host computer.
The MD5 hash that is associated with this file's SHA256 hash.
The host name of computer on which this file resides.
LAST IP ADDRESS
The last IP address for the endpoint that SEP reported.
A process is represented by a group of system changes. Each process has a separate date/time range. Symantec EDR shows the processes that were executed on the endpoint in sequential order. To view the attributes that are associated with the system change (the dynamic file attributes), click the down arrow to the right of the row. The dynamic file attribute data that appears is unique to that process. Different processes contain different attributes, depending the information that is available to Symantec EDR. To collapse the details, click the up arrow at the far right of the row.
Symantec EDR lets you filter processes so that you can narrow the list. Click Show Filters to reveal the filters. Select the process that you want to filter by. (Results immediately begin to appear.) Click Hide Filters to hide the filters view. Symantec EDR maintains your filter selections until you reset the filter criteria or refresh the page.
The Process Behavior table contains the following information:
Processes are grouped by the following types:
The process description is written as follows:
<Actor> <Action> <Target>
where <Actor> is the object that is taking the action. This could be a file or a process. <Action> is the task that the actor is performing. Actions include: created, deleted, renamed, updated, disabled, loaded, executed, initiated, and modified. And <Target> is the object that has been acted upon.