Review Endpoint Alerts using Process Tree

From version and higher, the Alert details page for Endpoint alerts will show a process tree along with the details of Summary, Event details, Process details, etc.

After you filter the Endpoint alerts in the Alerts List view, you can go to the Alert Details view for more detailed information on the Endpoint alerts, to determine the action required. An alert contains one or more events. In the Alert Details view for Endpoint alerts, you can view the alert details in the form of a process tree and additional event details, process details and much more on the right panel. The following figure shows an example of the Alert Details view for Endpoint alerts.


The process tree on the Alert Details view provides a complete picture about where the suspicious/malicious file originated including the path in the form of a process tree.


The Details panel on the right has more information for an alert than the Overview panel in the Alerts List view.

netwitness_image_200x47.png - The file that caused the alert is outlined in red.

netwitness_selectednode_200x48.png - Selected file is outlined in blue.

netwitness_1_40x37.png - The file that caused the alert, and it is outlined in red. If you click on this file, the red outline will become blue to show it is selected.

netwitness_2_40x37.png - The file from which the suspicious/malicious file is originated.

netwitness_3_39x36.png - Investigate Timeline takes to the Investigate view for the selected alert.

netwitness_4_40x37.png - Summary shows a short description of the event.

netwitness_5_41x36.png - Event Details section provided a detailed information about the event that includes the Event Time, Target Filename, Tactic, Technique, Target User etc.

netwitness_6_41x36.png - Process Details section shows the Directory where the file is stored besides User name, Hash value, Risk score, Signature etc.

netwitness_7_41x36.png - Network Connections shows any network connection the selected file established since ten minutes before and till ten minutes after the alert triggered time. For example, if the alert was triggered at 16:00 hours, the network connections(if any)established by the selected file from 15:50 hours to 16:10 hours will be shown.

netwitness_8_42x37.png - Origin section shows how the selected file originated in the host.

netwitness_9_42x37.png - Exists on Hosts shows the list of hosts(with risk score) the selected file exists.

Process Details Section Values





Shows the tactic, as per MITRE ATT&CK framework, this attempt falls under.


Technique Shows the technique, as per MITRE ATT&CK framework, this attempt falls under. masquerading
Event Time Shows the event occurred time.

06/22/2022 10:14:28.000 am 8 hours ago

Target Filename Shows the name of file that is targeted. You can also view it in the process tree, next to the file that caused the alert. Unconfirmed 298296.crdownload
Target Command Line Shows the command line argument of the target file.


Target Directory Shows the targeted directory. C:\Users\Administrator\Downloads\
Target User Shows the user name through which the attempt was made.


Target Hash Shows the hash value of the selected file. f214c48dc1daxxxx41d327c6bed1b52xxxx492573d85a305d8183eaa0222cc96

Event Details Section Values

Value Description


File name Shows the selected file name with extension iexplore.exe
Command Line Shows the command line name for the selected file


Directory Shows the location of the selected file C:\Program Files\Internet Explorer\
User Shows the user name


Hash Shows the hash value of the selected file f214c48dc1daxxxx41d327c6bed1b52xxxx492573d85a305d8183eaa0222cc96
Risk Score Risk score of the selected file


Signature Shows whether the selected file is signed or not microsoft,signed,valid

Reputation Status

Shows the reputation of a file hash


File Status Shows the file status for the selected file Blacklist

Note: The process tree will be invisible if you drag it to the right end of the screen. Refresh the page to reload the process tree.