Hosts View - Process Tab

Note: The information in this topic applies to NetWitness Version 11.1 and later.

The Process panel provides a list of processes running on the host. To access this tab, select a host from the Hosts view and click the Process tab.

Workflow

What do you want to do?

User Role	I want to ...	Show me how
Threat Hunter	review hosts with highest risk score*	Analyze Hosts Using the Risk Score
Threat Hunter	analyze hosts*	Investigating Hosts
Threat Hunter	perform adhoc scan*	Scan Hosts
Threat Hunter	review host details	Analyze Host Details
Threat Hunter	search on snapshot*	Search Files on Host
Threat Hunter	analyze processes*	Investigating a Process
Threat Hunter	review reported anomalies	Analyze Anomalies
Threat Hunter	analyze risky users	Analyzing Risky Users
Threat Hunter	analyze events*	Analyzing Events
Threat Hunter	download files for deeper analysis*	Analyzing Downloaded Files
Threat Hunter	perform external lookups*	Launch an External Lookup for a File
Threat Hunter	change file status or remediate*	Changing File Status or Remediate
Threat Hunter	filter files*	Filter Host Details
Threat Hunter	isolate host from network*	Isolating Hosts from Network
Threat Hunter	download MFT, system dump, or process dump*	Performing Host Forensics

*You can perform this task in the current view.

Related Topics

Quick Look

Below is an example of the Process tab:

1	Agent and Scan Details. You can view the following agent and scan details of the selected host: Host name - Name of the host. For example, WIN-ABC. Risk score - Risk score of the host. Operating System - Operating system on which the agent is running (Linux, Windows, or Mac). Agent Scan Status - Current status of the scan - Idle, Scanning, Starting Scan, or Stopping Scan. For more information, see Scan Hosts. Agent Last Seen - Time when the agent last communicated with the Endpoint server. Agent Version - Version of the agent. For example, 11.3.0.0. More - Provides options to: Start a scan for the selected hosts. For more information, see Scan Hosts. Extracts host attributes and endpoint data to a JSON file of the selected snapshot. For more information, see Export Host Attributes. Isolation host from the network. For more information, see Isolating Hosts from Network. Download MFT to the server. For more information, see Performing Host Forensics. Download System Dump to the server. For more information, see System and Process Memory Dump. Perform remediation actions using the Remote Shell option. For more information, see Performing Host Forensics. Snapshot Time - Lists scanned time stamps. To view the scan history, you select the snapshot time from the drop-down menu.
2	Actions in the toolbar: Analyze Process - Lets you perform process analysis to investigate a particular process behavior, and understand the entire process event chain, process parent-child relationships, and all associated events. For more information, see Investigating a Process. Change File Status - Provides capabilities to manage suspect and legitimate files and block malicious or infected file to prevent future execution of the file on any host. For more information, see Changing File Status or Remediate. Analyze Events - Lets you investigate a particular host, IP address, username, filename, or hash to get the entire context of the activity. For more information, see Analyzing Events. More - Provides options to: Perform external lookups. Download files to server, save a local copy, and analyze files for deeper analysis. Download process dump to server. Note: You can perform some of the above actions from the right-click context menu.
3	Search on Snapshots. Lets you search on all snapshots (file name, file path, and SHA-256 checksum). For more information, see Search Files on Host.
4	Toggle. Lets you toggle between List view and Tree view.
5	Process panel - Displays process information, such as process name, local risk score, global risk score, On Hosts, reputation status, file status, and others.
6	Show/Hide Right Panel - Displays the following properties of a process in the right panel: File Details - Displays all properties of the selected process. It is grouped as follows: General - General information about the file, such as file name, entropy, size, and format. Signature - Provides signatory information. Hash - Hash type of the file (MD5, SHA1, and SHA256). Time - Time when the file was created, modified, or accessed. Location - Location of the file. Process - Details of the process, such as image size and PID. Image - Image details loaded by the process. Local Risk Details - Displays the alerts associated with the local risk score, such as Critical, High, Medium and All. Hosts - Displays the top 100 hosts based on the risk score on which the file is present.
7	Filter Files. You can filter processes by selecting the options in the Filters panel and create filters. For more information, see Filter Host Details.
8	Settings Menu. You can set Hosts view preferences by selecting columns from the Settings menu. For more information, see Set Hosts Preference.

Process Details

Clicking the process name displays the process details of a specific process as shown in the following figure:

Field	Description
Process Name	Name of the process. For example, server.exe.
PID	ID of the process. For example, 492.
Path	Path of the file associated with the process on the disk. For example, C:\Windows\System32.
Launch Arguments	Command line arguments passed to the process when it is launched. For example, -k LocalServiceNoNetwork.

List of loaded libraries for the selected process, such as DLLs (for Windows), Dylibs (for Mac), or .SO (for Linux).
List of autoruns (if configured).
List of image hooks and suspicious threads (for Windows).

NetWitness Community

Table of Contents

Product Resources

Hosts View - Process Tab

Process Details

On this page