Raw Events

If you click the name of the process, you are redirected to the Process Details of the selected process. Click elsewhere, and the context menu shows up:

Details—Same as Process details when clicking the process ID of the process.

Details (New Tab)—Redirect to Process details, but in the new tab

Click Show Sub-Process Events if you want to see the child process events as well.

The process tree on the right side—The process tree reflects the parent-child relationship between processes where child processes are shown directly beneath their parent and right-indented. Processes that are on the left are orphans, and their parent has exited.

important

Important

Older versions of Windows do not produce WMI events. This functionality is available since Windows 10 version 1803.

Some of the events provide only partial information:

File write events – only the first file change is recorded (This is per process. If two processes change the same file, both changes are recorded)

Registry related events - only the first registry key change is recorded (first time by a process)

DLLLoad – only dll's which AV does not whitelist are recorded

TcpIp events – only the first connection is recorded (first time by a process)

Http events - only the first request is recorded (first time by a process)

ModuleDrop (a.k.a PEDrop) – it is reported only for the first drop of a given module (first time on a computer)

AmsiTriggerEvent – only the first execution is recorded (first time on a computer)

Additional filters

The additional filters are accessible by clicking the ADD FILTER button or clicking on a space next to the add filter button, where the list of available filters shows. The user can search filter by typing its name or selecting from the list. For the definitions of the additional filters, follow here.

Some of the filters have a funnel icon next to them with two or four possible predefined options:

Unknown—the value in the filtered column is not available (probably not a known value at the time of occurrence)

Known—the value is available

None—value is an empty string

Any—the value is not empty. The negation of None filter

If present on the screen you, can refresh the table by clicking the refresh iconAlarms_Refresh. If available, the export icon Export_CSV can be used to export the table grid to CSV format and use it in other applications to work with the list.

If present, click the PRESETS button to manage filter sets. These options are available:

Save filters—allows you to save the actual filter set. Select the check box Include the visible columns and sorting to save also this setting of your selection, otherwise when loading saved filter without this option selected will end up by showing you the default column setting

Reset filters—resets active filter and return to default filter setting with default column setting

Reset view—resets the active view without resetting the filter set

Manage—allows you to manage your filter sets

Save Filters as Rule—if available, allows you to save the filter as a rule. You can find it then in the list of rules under the Detection rules sub-tab of the admin tab

There is a possibility to load events that are one minute older, one minute newer, one hour older, one hour newer by using the buttons at the bottom of the page or can use GO TO button that displays a window where you can type the date you want to review.

The buttons TO NEWEST and TO OLDEST takes you to the newest or oldest event.