Process Monitoring

EventSentry provides one of the most detailed, extensive and robust process analysis capabilities the scale across the entire enterprise.


Download Now Request a demo

EventSentry provides one of the most detailed, extensive and robust process analysis capabilities the scale across the entire enterprise. EventSentry offers deep insight into process activities in real time, beneficial for malware detection, analysis and compliance. When combined with Sysmon, process analysis is elevated further for network and anomaly detection.

Basic Process Tracking

Tracks all process activity in real-time and provides access to all relevant process activity stats on the monitored endpoint (requires Windows auditing), including:

  • Calling process and user
  • SHA256 checksum
  • Elevation status
  • Process runtime & command line arguments
  • Digitally Signature status

More details on process tracking

Enhanced Tracking with Sysmon & NetFlow

Complements basic tracking by providing information about all network connections initiated by a process:

  • Protocol used (UDP / TCP)
  • Source IP / Hostname
  • Destination IP / Hostname
  • NetFlow correlation (if available) can display related network traffic

Real-Time Alerts

Real-time alerts (e.g. email, ticketing system) can be triggered based on a variety of properties, including:

  • File path, name
  • Calling user
  • Command line arguments
  • Advanced file properties (size, signature, checksum, ...)
  • Network connection to a potentially malicious host
  • Process / Caller Process relationship

Status & Inventory Information

A network-wide task manager with netstat capabilities provides detailed status information about all running processes on the network, including which ports they are listening on. EventSentry also provides an inventory of all scheduled tasks and services/drivers.

Performance Monitoring

Provides detailed process performance data, including CPU, memory, handle usage, runtime and more.

Threat & Anomaly Detection

EventSentry's anomaly detection engine can utilize various process activity events from both Windows and Sysmon to detect unusual behavior, including:
  • Never-before seen processes
  • Never-before seen DLLs loaded into processes
  • Suspicious network activity by processes

Process Analysis

The process analysis page utilizes all available process data (tracking, status, inventory) to help investigate all process activity from a single interface. The activity page also provides access to the process hierarchy to show the relationship between parent and child process(es).