Process Tracking

<< Click to Display Table of Contents >>

Navigation:  Monitoring with EventSentry > Compliance Tracking >

Process Tracking

Process Tracking will record all process activity (process creation, process exit) in a central database and is intended to monitor application usage on workstations in high-security environments. The collected information can be queried through the web interface to obtain tracking data, history, statistics etc..

 

info_32

Combined with Sysmon and NetFlow, the process tracking feature can provide powerful insights into process activity, including associated network activity, on monitored systems.

 

 

clip0340

 

Requirements

This feature works by intercepting Audit Success events that are written to the security event log when Audit Process Tracking is enabled in the Local Security Policy of the monitored host. As such, some requirements need to be met before process tracking can function properly. Please see requirements for details.

 

Configuration

Tracking All Processes (with exceptions)

Select "Track all processes except those listed below" to monitor all processes. To exclude processes click the + button and specify the process executable to exclude (see info box below).

 

Tracking only selected Processes

Select "Only track processes listed below" and click the + button to add processes that should be monitored to the list.

 

info_24

Processes need to be added either with a wildcard (e.g. *\postgres.exe) or by using the full path (e.g. C:\Program Files (x86)\EventSentry\postgresql\bin\postgres.exe).

 

Include command line

You can capture the command line of processes with this option. Obtaining the command line of a process is only possible while the process is running, and as such will not work for processes whose duration is very short (e.g. < 2 seconds). Activating this option might incur a small performance overhead.

 

warning_32

Security Warning: Use this option with care, command line arguments may include sensitive information such as usernames and passwords.

 

Sysmon network events

EventSentry can be integrated with the Sysmon v7.x utility from Windows Sysinternals.

 

Checksum

When enabled, calculates the specified type of checksum (SHA 256, 384 or 512) of every executed process and makes that available in the reporting. Checksums can be correlated with sites like virustotal.com.

 

It's recommended to enable optimization to reduce the potential CPU load the EventSentry agent has on the monitored system, disable the optimization in high security environments. When optimization is enabled, the agent will temporarily cache the checksum of frequently executed processes. Standard optimization will access cached checksums if the file write time has not changed since the last time a checksum was generated; high optimization will access cached checksums if the same file was executed within the last 5 seconds and if the write time has not changed.

 

Enabling Process Tracking in the OS

Since process tracking needs to be enabled in the Operating System you can configure the agent to active it automatically if it isn't already activated. Please see requirements for more information.

 

database_sql_16 Database

Select the database action which points to the correct database.

 

Additional Features

If the specified database is temporarily unavailable, then EventSentry will cache the pending process tracking data and run the transactions when the database server becomes available again.