Processes are one of the Entity types investigated by Hunters as part of its Lead creation and auto-investigtion stages.
In many cyber incidents, identifying the origin and behavior of processes is critical for determining the root cause and extent of an attack. SOC analysts can use Hunters to gain a comprehensive and intuitive view of process relationships during security investigations by exploring the Hunters Process Tree.
Process Tree enables analysts to trace the lifecycle of processes in an alert and to explore their interactions within the operating system. By giving analysts a clear view of parent-child relationships and associated activities like network connections or file manipulations, this feature helps streamline the investigation process and reduces the time it takes to respond to security threats.
View and explore process progression
Process Tree preview
You can view a concentrated overview of the process you are exploring in the Lead details page by opening the lead and navigating to the process entity tab.
Full Process Tree
To explore further, click Full Process Tree to open a more extensive view providing you with a complete suite of information regarding the process. This includes detailed parent-child relationships that show how processes evolved over time, offering crucial insight into how malicious processes may have originated or propagated.
The Process Tree enables you to move up and down the process chain effortlessly by navigating to the parent process to identify the origin or potential cause of the current process or by drilling down into child processes by clicking the plus (+) sign to understand how a malicious action might have spawned additional threats.
.gif?sv=2022-11-02&spr=https&st=2025-05-05T03%3A01%3A08Z&se=2025-05-05T03%3A13%3A08Z&sr=c&sp=r&sig=3t0iJMQ%2BAjnjLGNID7o9AXSqvqRxSEF9IdLgr7W%2BAnU%3D)
You can zoom in and out as needed or drag the process canvas to allow you to navigate within complex trees.
💡Tip
To keep track during your investigation, look for the Entry point tag which marks the place you entered the Process Tree, meaning the process you initially investigated.
Investigating process details and events
Investigate process details
You can investigate a process further by selecting it from the process tree and examining the Process details panel, on the right side of the screen.
The Process details panel displays the time in which the Process event occurred, a link to related events (which will appear on the lower part of the screen), and the process Attributes.
Show process events
You can dive into specific events and actions associated with a process, by selecting the process from the tree and examining the lower part of the screen.
These events include:
Network Connections: Connections initiated by the process, used to identify potential command-and-control or data exfiltration activity.
File System Activity: System files created, deleted, or modified by the process, offering critical insight into potential data tampering or ransomware actions.
Process Activity: Details of the processes related to the selected process.