Skip to content

Process Trees🔗

Note

The terms Alerts and Investigations have recently been changed to Detections and Cases in Taegis XDR. You may still see references to the old terms while we continue to work towards platform convergence of Sophos and Taegis technologies. For more information, see Taegis Terminology Updates.

Important

Process trees will be retired on November 13, 2025, superseded by the visual, interactive Process Event Lineage. You should migrate any workflows using process trees to the enhanced capabilities of process lineage.

Process Event Trees in Secureworks® Taegis™ XDR allow you to explore the ancestry and child processes of a process event. From a process tree you can:

  • Pivot search off of the host ID
  • View if the process and user have elevated privileges

Event Process Trees

Use the arrows to the left of the rows to expand and hide parts of the process tree. Use the arrows at the right of a row to expand individual processes to view more details. If the user or process has elevated privileges, an icon appears at the left of the row.

Note

Process trees display only processes from the last 30 days; older processes are not shown. If the source process event itself is more than 30 days old, the Process Tree tab is disabled.

Tip

For a visual, interactive view of the process tree, see Process Event Lineage.

View a Detection’s Process Tree🔗

To view process trees related to a detection:

  1. Select the detection you want to view process events for.

  2. Command line data is displayed in the Process Data section.

    Process Data on Detection Details Page

  3. Select View Event from the Process Data section, or open the Events tab and select a process event from the table to open its details.

  4. In the process event details, select the Process Tree tab.

    Process Tree Details and Related Events

Tip

Copy the process tree as text to paste elsewhere by selecting Copy above the process tree.

Pivot Search by the Username🔗

View the asset details and detections related to the username associated with the event.

  1. View the process tree and expand an individual process with the arrow at the right of a row.

  2. Select the magnifying glass next to the username.

    Detections Related to the Username

  3. A pivot search for the username appears, with related detections, events, and agents.

See Related Detections and Events Timeline View for information on how to view other detections and events related to the current process event.