Processes

The EDR Processes page compiles information on device processes executed within the organization. This centralized aggregation enables quick analysis and detailed investigation of specific processes, giving admin users with sufficient permissions visibility into potential security threats.

This article discusses thr following topics:

• Accessing the Processes page
• Types of process information
• Sorting of process information
• Process actions
• Searching process information

Accessing the Processes page

To access the EDR Processes page:

1. Sign into the Coro console and select Control Panel :

   

2. Select EDR :

   

3. Select the Processes tab:

   

   The Processes page appears, displaying a list of processes:

   

4. Select any process to view detailed process information.

Types of process information

The Processes page displays the following process information:

• Hash : The unique process identifier hash value.

  Select View Telemetry to display the Telemetry page, filtered by the process hash value:

  

• First execution details : Details about the process’s first execution:
  • Device name : The device that first executed the process.
  • User : The user account that first executed the process.
  • Timestamp : The date and time when the process was first executed.

  

• Total affected devices : The total number of monitored endpoint devices on which this process is running.

  Select the devices counter to view the Devices page, filtered by the process hash value:

  

• Known paths : All directory paths from which the process was executed. Each directory path includes the hostnames (devices) affected.

  

  note

  If a single device is affected, its name appears as a link to the Devices page below the directory path. If multiple devices are affected, Coro displays a counter showing the number of affected devices. This counter directs you to the Devices page, filtered by the process hash and directory path.

• Process aliases (if applicable): If a process has more than one name, all aliases are displayed.

  

  note

  If a single device is affected, its name appears as a link to the Devices page below the directory path. If multiple devices are affected, Coro displays a counter showing the number of affected devices. This counter directs you to the Devices page, filtered by the process hash and directory path.

  note

  Coro does not display the Process Aliases section if a process has no additional aliases.

• Open tickets : A list of all open EDR tickets associated with this process, including a count for each ticket type.

  

  Select All Open Tickets to view the Ticket log, filtered by the process hash value:

  

Sorting process information

You can sort the Processes page by the following fields:

• Number of devices : The number of devices associated with a particular process hash.
• Last seen : The timestamp at which the process was last seen.

  

Process actions

Each process listed on the Processes tab has a set of actions you can apply to a selected process:

You can perform the following process actions:

• Reboot Device(s) : Reboots the affected device(s).
• Shutdown Device(s) : Shuts down the affected device(s).
• Isolate affected device(s) from network : Used in the case of severe attacks. The action isolates the affected device(s) from the network. An isolated device cannot communicate with any resource on the network or the internet. Communication with the Coro servers remains functional while the device is isolated.

  warning

  If MacOS Agent v2.1 or higher/Windows Agent v2.2 or higher is not installed, the Isolate affected devices from network action is not available. Isolated devices are only be able to communicate with Coro's servers.

  note

  Reconnect isolated devices to the network from the Devices page.

  note

  Isolate a process if at least one of the associated devices has either:

  MacOS Agent v2.1 or higher installed.

  Windows Agent v2.2 or higher installed.

• Block Process : Blocks a process and adds it to the Endpoint Security and EDR blocklist:

  

  Coro labels the process as Blocked in the Processes list. When you select a blocked process, Coro displays the status in the format: Process blocked on MMMM DD, YYYY.

  

  For further information on blocking processes, see EDR Allow/Block lists and Endpoint Security Allow/Block lists.

  note

  You can perform additional process actions from the Devices tab.

Mass process actions

You can apply mass actions to multiple processes simultaneously. You can apply the following mass actions:

• Block processes
• Unblock Processes

To apply a mass action to multiple processes:

1. Select the required processes from the process list.
2. Select ACTIONS > Block processes / Unblock Processes :

   

   Coro displays a confirmation dialog:

   

3. Select CONFIRM .

   The selected mass action is performed, and a confirmation message appears:

   

Searching process information

The Search field allows you to search and filter telemetry information using two methods:

• Prefixed search
• Free text search

Prefixed search

A prefixed search allows you to search by the following prefixed terms:

• EnrollmentCode : The Coro device ID.
• Hostname : The name of the device(s) linked to a process.
• ProcessHash : The unique process identifier.
• ProcessName : The name of the process.
• Blocked : Enter true to search for all blocked processes.

Free text search

A free text search allows you to search without the use of prefixed terms.