Asset Processes

In most organizations, it’s rare that users have unique applications that only they use. Most applications, such as office packages and other standard applications, are installed on multiple computers.

Specific hacking tools or malware, however, are only present on one or a handful of machines; these uncommon processes become obvious and indicate that a user has either contracted malware or is running rogue software. This is especially valuable in today’s world where malware has become adept at evading antivirus detection techniques.

As InsightIDR learns more about the processes running in your organization, it classifies them based on commonalities. There are three types of processes identified by InsightIDR:

You can alert on specific processes and hashes by flagging a process or flagging a process variant.

You can also read about process hash details and view all processes.

Unique Process

The "Unique Processes" view displays unique processes which are processes that are only seen on a single asset on the network. A unique process may indicate a rogue process. Information displayed in this view includes the name of the unique process, the user name of the account running this process, the asset identifier, and when the process was first and last seen.

Rare Process

A rare process is seen on a few assets on the network.

If a rare process is found, you should present the process and the system on which it was discovered to the security administrator for review to ensure they are not risky software or malware that has evaded other security tools.

The "Rare Processes" view displays rare processes which unlike unique processes, appear a few times. Like a unique process, the presence of a rare process may indicate a rogue process. Information displayed in this view includes the name of the process, the asset account (number of occurrences), and when this process was first and last seen.

Common Process

A common process is seen frequently on many assets.

View All Processes

On the InsightIDR homepage, the "Latest Process" card displays the top unique and rare processes. To see an entire list, click the More link at the bottom of the card.

You can also go to the "Assets & Endpoints" page to see a complete list of top unique and rare processes.

Additionally, you can search for a process. Use the search bar at the top of the page to search for any process name, such as ‘bluefish.exe’.

After you type the first few letters of a process name, the search bar provides the full name of any processes it has discovered on the network that match the text provided. Searching for a process returns all users and machines running the target process, if there are any.

Process Hash Details

When you click a process, InsightIDR provides more details about that process, such as the following:

  • MD5
  • SHA1
  • Operating System
  • File Size
  • Signature Verification
  • Commonality
  • File Names
  • Reputation
  • Threat Level
  • Reliability
  • First Analyzed Time
  • File Reputation Report
  • Assets Running This Hash

"File Names" are also clickable. The details page for "Files Names" from a Process provide details on process variants, signature verification, commonality, assets that contain the file, and a timeline of discovery.

"File Reputation" report is also clickable and displays additional details from Virus Total.

The SHA1 or MD5 hash can also be pasted into the search bar to discover if any systems on the network have been discovered running that binary.

Flag a Process or Variant

Both the Process Details page and the Process Hash page allow you to flag the process or variant of a process. Once flagged, InsightIDR generates an alert if the process or variant is discovered on any other systems on the network. You can just as easily turn a flag off to stop receiving alerts.

Flag a Process

Flag rare or unique processes

A flag on a process tells InsightIDR to generate an alert each time the process is used. If you flag commonly used processes, such as chrome.exe, you can expect to receive an influx of benign alerts. To avoid this, we recommend that you flag only the processes that you want to generate alerts for, such as a downloaded malware executable in your environment.

To enable a process flag:

  1. From the left menu, click Assets & Endpoints.
  2. Under Name, select the process you want to update.
  3. Click the Flag Process toggle. The toggle will turn green.

To disable a process flag:

When a flag is enabled, the Flag process toggle will be green. To turn the flag off, click the Flag Process toggle. The toggle will turn gray, indicating that it is off.

Flag a Process Variant

You can also generate alerts based on process variants. Say for example, you want to know if any users in your environment are using a version of chrome.exe that has a vulnerability. You can flag a specific version (or variant) of the chrome.exe process, and immediately receive alerts if anyone is running an outdated version of chrome.

To enable a process hash:

  1. From the left menu, click Assets & Endpoints.
  2. Under Name, select the process you want to update.
  3. Under Process Variant, select a process variant.
  4. Select the Flag hash toggle. The toggle will turn green.

To disable a process hash:

When a flag is enabled, the Hash flag toggle will be green. To turn the flag off, click the Hash flag toggle. The toggle will turn gray, indicating that it is off.

Reset a process or variant flag

To reset a process or variant flag, turn off the flag for the process or variant, and then turn it back on.

Google a File Name

When you are viewing the details for a process file name, you can utilize the Google icon next to the Flag icon to automatically investigate the file name further.