Processes¶

The Processes page provides an aggregated view of collected information on processes that were executed within the organization, allowing users to quickly drill down into a process. The interface provides searching and sorting for locating processes efficiently.

Note

If a device loses network connectivity or the Coro Agent is inactive, Coro EDR preserves your process data. This saved data becomes accessible once the device re-establishes connection or the Coro Agent resumes operation.

The following topics are discussed:

Accessing the Processes page
Types of process information
Sorting of process information
Process actions
Searching process information

Accessing the Processes page¶

To access the Processes page:

Log into the Coro console and select Control Panel from the toolbar:
Select EDR:
Select the Processes tab:

The Processes page appears:

The Processes page contains a list of processes. Select a process to show detailed process information.

Types of process information¶

The Processes page displays the following process related information:

Hash: The unique process identifier hash value.

Select View Telemetry to display the Telemetry page, filtered by the selected Hash:
Devices: The link displaying total number of devices associated with the Process hash.

Select the link to display the Devices page, filtered by the selected Hash:
Known paths: All directory paths from where the process was executed, displayed as a list. Each directory path displays the affected hostnames (devices).

Note

If there is one device affected, it is displayed as a link to the Devices page under the directory path. If there are multiple devices affected, a link to the Devices page, showing the number of affected devices is displayed.

When the link is selected, the Devices page is displayed, filtered according to the process hash and directory path.
Process aliases (if applicable): If a process has more than one name, all aliases are displayed.

Note

If there is one device affected, it is displayed as a link to the Devices page under the directory path. If there are multiple devices affected, a link to the Devices page, showing the number of affected devices is displayed.

When the link is selected, the Devices page is displayed, filtered according to the process hash and directory path.

Note

If a process has no additional aliases, the Process aliases section is not displayed.

Sorting process information¶

Sort the Processes page by the following fields:

Number of devices: The number of devices associated with a particular process hash.
Last seen: The timestamp at which the process was last seen.

Process actions¶

Each process listed on the Processes tab has a set of actions you can apply to a selected process:

The following process actions are available:

Reboot Device(s): Reboots the affected device(s).
Shutdown Device(s): Shuts down the affected device(s).
Isolate affected device(s) from network: Used in the case of severe attacks. The action isolates the affected device(s) from the network. An isolated device cannot communicate with any resource on the network or the internet. Communication with Coro servers remains functional while the device is isolated.

Warning

If MacOS Agent v2.1 or higher/Windows Agent v2.2 or higher is not installed, the Isolate affected devices from network action is not available. Isolated devices are only be able to communicate with Coro's servers.

Note

Reconnect isolated devices to the network from the Devices page.

Note

You can isolate a process if at least one of the associated devices has either:

MacOS Agent v2.1 or higher installed.

Windows Agent v2.2 or higher installed.
Block Process: Blocks a process and adds an item to the list on the Allow/Block page in the Endpoint Security module:

Note

Blocked process details are shared on both the Endpoint Security and EDR Block lists on the respective Allow/Block pages.

A blocked process is displayed in the process list with a Blocked status. When the process is selected, a blocked status is displayed in the format: Process blocked on MMMM DD, YYYY.

For further information on blocking processes, see EDR Allow/Block lists and Endpoint Security Allow/Block lists.

Note

Process actions are performed from the Devices page.

Mass process actions¶

You can apply mass actions to multiple processes simultaneously. The following mass actions can be applied:

Block processes
Unblock Processes

To apply a mass action to multiple processes:

Select the required processes from the process list.
Select ACTIONS > Block processes/Unblock Processes:

A confirmation dialog is displayed:
Select CONFIRM.

The selected mass action is performed, and a confirmation toast message appears:

Searching process information¶

The Search field allows you to search and filter telemetry information using two methods:

Prefixed search
Free text search

Prefixed search¶

A prefixed search allows you to search by the following prefixed terms:

EnrollmentCode: The Coro device ID.
Hostname: The name of the device(s) linked to a process.
ProcessHash: The unique process identifier.
ProcessName: The name of the process.
Blocked: Enter true to search for all blocked processes.

Note

Prefixed searches use exact matches for the selected prefixed term value entered.

Free text search¶

A free text search allows you to search without the use of prefixed terms.

Note

The free search functionality finds items that begin with a specific sequence of characters. By entering the initial characters, the system displays relevant results, saving time and improving efficiency in locating desired information.