Processes

The EDR Processes page compiles information on device processes executed within the organization. This centralized aggregation enables quick analysis and detailed investigation of specific processes, allowing admin users with sufficient permissions visibility into potential security threats.

note

If a device loses network connectivity or the Coro Agent becomes inactive, Coro EDR preserves the process data. After the device regains connectivity or the Coro Agent resumes operation, this saved data becomes accessible.

This article discusses thr following topics:

Accessing the Processes page

To access the EDR Processes page:

  1. Sign into the Coro console and select Control Panel :

    Control Panel

  2. Select EDR :

    EDR

  3. Select the Processes tab:

    EDR Processes tab

    The Processes page appears, displaying a list of processes:

    EDR Processes page

  4. Select any process to view detailed process information.

Types of process information

The Processes page displays the following process information:

  • Hash : The unique process identifier hash value.

    Select View Telemetry to display the Telemetry page, filtered by the process hash value:

    View telemetry

  • Devices : The total number of monitored endpoint devices on which this process is running.

    Select the devices counter to view the Devices page, filtered by the process hash value:

    View telemetry devices

  • Known paths : All directory paths from which the process was executed. Each directory path includes the hostnames (devices) affected.

    Known paths

    note

    If a single device is affected, its name appears as a link to the Devices page below the directory path. If multiple devices are affected, a counter appears displaying the number of affected devices. This counter directs you to the Devices page, filtered by the process hash and directory path.

  • Process aliases (if applicable): If a process has more than one name, all aliases are displayed.

    Process aliases

    note

    If a single device is affected, its name appears as a link to the Devices page below the directory path. If multiple devices are affected, a counter appears displaying the number of affected devices. This counter directs you to the Devices page, filtered by the process hash and directory path.

    note

    Coro EDR does not display the Process Aliases section if a process has no additional aliases.

  • Open tickets : A list of all open EDR tickets associated with this process, including a count for each ticket type.

    Open tickets

    Select All Open Tickets to view the Ticket log, filtered by the process hash value:

    Open all tickets

Sorting process information

You can sort the Processes page by the following fields:

  • Number of devices : The number of devices associated with a particular process hash.
  • Last seen : The timestamp at which the process was last seen.

    Sort processes

Process actions

Each process listed on the Processes tab has a set of actions you can apply to a selected process:

Process actions

You can perform the following process actions:

  • Reboot Device(s) : Reboots the affected device(s).
  • Shutdown Device(s) : Shuts down the affected device(s).
  • Isolate affected device(s) from network : Used in the case of severe attacks. The action isolates the affected device(s) from the network. An isolated device cannot communicate with any resource on the network or the internet. Communication with the Coro servers remains functional while the device is isolated.
    warning

    If MacOS Agent v2.1 or higher/Windows Agent v2.2 or higher is not installed, the Isolate affected devices from network action is not available. Isolated devices are only be able to communicate with Coro's servers.

    note

    Reconnect isolated devices to the network from the Devices page.

    note

    Isolate a process if at least one of the associated devices has either:

    MacOS Agent v2.1 or higher installed.

    Windows Agent v2.2 or higher installed.

  • Block Process : Blocks a process and adds it to the Endpoint Security and EDR blocklist:

    Blocked process

    A blocked process is displayed in the process list with a Blocked status. When the process is selected, a blocked status is displayed in the format: Process blocked on MMMM DD, YYYY.

    Blocked processes

    For further information on blocking processes, see EDR Allow/Block lists and Endpoint Security Allow/Block lists.

    note

    You can perform additional process actions from the Devices tab.

Mass process actions

You can apply mass actions to multiple processes simultaneously. You can apply the following mass actions:

  • Block processes
  • Unblock Processes

To apply a mass action to multiple processes:

  1. Select the required processes from the process list.
  2. Select ACTIONS > Block processes / Unblock Processes :

    Mass block processes

    A confirmation dialog appears:

    Mass block processes confirm

  3. Select CONFIRM .

    The selected mass action is performed, and a confirmation message appears:

    Mass block processes confirmation toast message

Searching process information

The Search field allows you to search and filter telemetry information using two methods:

Prefixed search

A prefixed search allows you to search by the following prefixed terms:

  • EnrollmentCode : The Coro device ID.
  • Hostname : The name of the device(s) linked to a process.
  • ProcessHash : The unique process identifier.
  • ProcessName : The name of the process.
  • Blocked : Enter true to search for all blocked processes.

Prefixed filters

note

Prefixed searches use exact matches for the selected prefixed term value entered.

Free text search

A free text search allows you to search without the use of prefixed terms.