PROCESS MONITORING-RELATED INCIDENTS
-
Whenever a new or modified process is detected on the configured host (other than the ones in the allowlist), VSP generates an incident
-
Navigate to Monitor > Incidents in the left navigation page
-
The incident has information related to the new process detected
-
There are two types of process monitoring incidents reported by VSP:
-
New Process – In situations where a new process is detected other than the allowlisted processes
-
Process Modified – In situations where a process is allowlisted, but a checksum mismatch is detected
-
-
The below truth table describes various scenarios and the type of incidents reported
SL NO
Process Name
Process Path
Process Checksum
Incident Type
1
No Match
Match
Match
No Incident 2
No Match
Match
No Match
New Process
3
No Match
No Match
Match
No Incident 4
No Match
No Match
No Match
New Process
5
Match
Match
Match
No Incident
6
Match
Match
No Match
Process Modified
7
Match
No Match
Match
No Incident 8
Match
No Match
No Match
New Process
Table - Process Incidents
-
If any script-hosting processes (like powershell, cscript.exe, wscript.exe, jscript.exe, python) is executed in detect mode, the command will complete its run. But if it is not a part of the allowlist, an incident is reported. It can be added to the allowlist if desired
-
Child Commands:
-
Common commands like ls, dir, ping, ipconfig can be executed along with powershell. No incidents will be reported on VSP and no libraries/processes need to be allowlisted
-
Whenever a command that invokes a child process is executed, two incidents – one for the parent process and another for the child process are reported
-
Commands like: -enc, -noP must be allowlisted before they are executed. Refer Page Create or Edit Allowlist for more information
-