Process Tree Template

This template provides a graphical representation of the execution tree of a specific process, where nodes represent entities that participate in an operation (such as processes, files, or communication or operation targets) and arrows represent operations.

The resources used to present this information are:

  • Template parameters: Filter the type of information shown initially on the graph.

  • Node colors: Indicate the item classification.

  • Node icons: Indicate the item type.

  • Status icons: Indicate the action taken on the item.

  • Arrow colors: Indicate whether the item was blocked or not.

  • Arrow types: Indicate the number and direction of the actions executed between the nodes.

  • Arrow labels: When you click the label of an arrow, an information panel appears on the right that shows information about the action taken by the process.

  • Node labels: When you click the label of a node, an information panel appears on the right that shows information about the entity.

Template Parameters

  • Parentpid: Parent process ID. It determines the specific execution instance of the program shown as start node on the graph.

  • muid: Identifiers of the computers where the process you want to investigate was run.

  • parentmd5: Parent process MD5.

  • date_event: Date of the event you want to represent on the graph. The graph shows events that correspond to the time interval that is between the day before and the day after the indicated date.

Node Colors

Color Description

Item classified as malware.

  • Item classified as a PUP.

  • Item classified as a suspicious item.

  • Unclassified item.

(Original color)

Item classified as goodware.

Color codes used in Process Tree template nodes

Node Icons

Icon Description Icon Description

Process. If it belongs to a known software package, the process icon is shown.

Compressed file

Remote thread

Executable file

Library

Script file

Protection

Windows registry branch value

Folder

URL used in a communication

Non-executable file

IP address in a communication

Icons used in template nodes

Status Icons

Icon Description Icon Description

File deleted

File quarantined

File disinfected

Process deleted

Icons used to indicate the action taken on the node

Node Labels

The labels indicate the name of the entity. When you click an entity, an information panel appears on the right that shows the fields that describe it.

Arrow Colors

The color of the arrows indicates whether Cytomic EDR or Cytomic EPDR blocked or allowed the action.

  • Red: The action was classified as a threat and blocked by the protection software. See the meaning of the following actions in the action field in Fields in the Events Received by Cytomic Orion.

    • Block

    • BlockTimeout

    • BlockExploit

    • BlockBL

    • Disinfect

    • Delete

    • Quarantine

    • KillProcess

    • IPBlocked

  • Black: The action was allowed.

Arrow Styles

  • Arrow thickness: Represents the number of times the same type of action was executed between two nodes. The greater the number of actions, the thicker the arrow. When you click an arrow, the information panel shows the dates when the first and last actions in the group occurred.

  • Arrow direction: Indicates the direction of the action.

  • Numbers: The numbers on the arrows indicate the order in which the event was recorded.

Arrow Labels

The label of an arrow indicates the name of the action taken by the process. When you click the label of an arrow, an information panel appears on the right that shows fields that describe the event that occurred.

Node Levels Shown by Default

By default, the graph is displayed horizontally with the node selected by the analyst at the center of the graph. It is surrounded by a subset of nodes related to that node:

  • The graph displays three levels of nodes above the main node.

  • The graph displays nodes one level below the main node.

The graph can show up to a maximum of 25 nodes at the same level. When there are more than 25 nodes, the graph shows no nodes.

Show Child Nodes

An icon in the bottom left corner of a node indicates that the node has hidden child nodes. To show child nodes, right-click the node. A context menu opens. Select one of the available options:

  • Show parent: Shows the parent nodes of the selected node.

  • Show all activity (number): Shows all the child nodes of the node regardless of the type. The maximum number of nodes shown is 25. The total number of events that link the parent node with the child node shows.

  • Show children: Opens a drop-down list. Select the type of child nodes to show and select the number of nodes for each type. The types of nodes include:

    • Data files: Files with unidentified information.

    • Script files: Files with command sequences.

    • Downloads: Data files downloaded from the Internet/network.

    • DNS: Domains that failed to resolve the IP.

    • Windows registry entries

    • Compressed files

    • PE files: Executable files.

    • Remote threads

    • IPs: IP addresses for either end of the communication.

    • Libraries

    • Processes

    • Protection: Action taken by the antivirus.

When you select and right-click several nodes on the graph, the options that apply to all selected nodes show in the context menu.

Investigation with Notebooks

To start an automated investigation on a node in the graph, right-click the graph and select Automated investigation. A list appears with all available templates. For more information about automated investigations, see Investigations with Notebooks.