EventSentry provides one of the most detailed, extensive and robust process analysis capabilities the scale across the entire enterprise. EventSentry offers deep insight into process activities in real time, beneficial for malware detection, analysis and compliance. When combined with Sysmon, process analysis is elevated further for network and anomaly detection.
Basic Process Tracking
Tracks all process activity in real-time and provides access to all relevant process activity stats on the monitored endpoint (requires Windows auditing), including:
- Calling process and user
- SHA256 checksum
- Elevation status
- Process runtime & command line arguments
- Digitally Signature status
More details on process tracking
Enhanced Tracking with Sysmon & NetFlow
Complements basic tracking by providing information about all network connections initiated by a process:
- Protocol used (UDP / TCP)
- Source IP / Hostname
- Destination IP / Hostname
- NetFlow correlation (if available) can display related network traffic
Real-Time Alerts
Real-time alerts (e.g. email, ticketing system) can be triggered based on a variety of properties, including:
- File path, name
- Calling user
- Command line arguments
- Advanced file properties (size, signature, checksum, ...)
- Network connection to a potentially malicious host
- Process / Caller Process relationship
Status & Inventory Information
A network-wide task manager with netstat capabilities provides detailed status information about all running processes on the network, including which ports they are listening on. EventSentry also provides an inventory of all scheduled tasks and services/drivers.
Performance Monitoring
Provides detailed process performance data, including CPU, memory, handle usage, runtime and more.
Threat & Anomaly Detection
EventSentry's anomaly detection engine can utilize various process activity events from both Windows and Sysmon to detect unusual behavior, including:
- Never-before seen processes
- Never-before seen DLLs loaded into processes
- Suspicious network activity by processes
Process Analysis
The process analysis page utilizes all available process data (tracking, status, inventory) to help investigate all process activity from a single interface. The activity page also provides access to the process hierarchy to show the relationship between parent and child process(es).