Process Event Lineage๐
Note
The terms Alerts and Investigations have recently been changed to Detections and Cases in Taegis XDR. You may still see references to the old terms while we continue to work towards platform convergence of Sophos and Taegis technologies. For more information, see Taegis Terminology Updates.
The process event lineage displays a visual, interactive view of the process tree, including the ancestry of the process you're viewing, how many child processes exist, and how many detections are associated with each process. It helps you understand how a sequence of events developed, where it may have impacted your environment, and what the results were.
View a Lineage๐
- Access a lineage by opening a process event details page. Events are visible in search results, cases, and from detection details pages.
- From the process event details, select the Lineage tab.
- A graph displays the process you are viewing with any ancestry and child processes.
Note
Lineage displays only processes from the last 30 days; older processes are not shown. If the source process event itself is more than 30 days old, the Lineage tab is disabled.
Tip
Search for process events in Advanced Search Query Language with the following query: FROM process.
Explore a Lineage๐
The lineage graph displays the following information:
- Process creation date and time
- An icon indicating a process is elevated
- Process name
- Orange highlighted icon indicating detections are associated with the process
- Count of detections associated with the process
- The number of hidden child processes of a process
- The time difference between two processes
- An icon indicating a process is blocked
- An icon indicating a process is the source event
Tip
Select the Legend tooltip at the top right of the graph to see the list of icons that may appear in the graph and their meanings.
See More Details of a Process๐
See more details of a process in the following ways:
-
Hover over a process node to show basic details, the full image path, username with annotation if the user is an admin, and a link to open the event details in a new tab.
Hover Over a Process -
Click a process node in the lineage to open the Info tab below the graph.
Open Info Tab The Info tab shows process details and the command line. Take the following actions from the Info tab:
- Select the Process Name to open the event details in a new tab.
- Select the Magnifying Glass next to a field to perform a pivot search based on that field.
Tip
To resize, use the handle above the tabs below the graph.
See Child Processes๐
The Child Processes tab below the graph shows child process events of the selected process node. View the Child Processes tab in two ways:
- Select a count of child processes from the graph.
- Alternatively, select a process node in the graph and then select the Child Processes tab.
Select a Process Name to open the event details in a new tab.
Show Child Processes in the Lineage๐
You can add these child processes to the lineage graph to help investigate threats.
- To add a single process, click the Eye icon from the Actions column. Click the icon again to hide the process.
- To add multiple processes, use the checkboxes at the left to select the desired processes and click Add to Graph. Use the checkboxes and click Remove from Graph to hide the processes.
See Associated Detections๐
The Detections tab below the graph shows any detections generated from the selected process node. View the Detections tab in two ways:
- Select a count of detections below a process node in the graph.
- Alternatively, select a process node in the graph and then select the Detections tab.
Select a Detection Title to open the details in a side panel without losing your place in the lineage graph.
Copy the Lineage๐
To copy the displayed lineage graph as a text-based process tree of nodes to your clipboard, click Copy from the top right of the graph. You can enhance a case by using this copied tree in the notes.