Process Tracking will record all process activity (process creation, process exit) in a central database and is intended to monitor application usage on servers and workstations. The collected information can be queried through the web interface to obtain tracking data, history, statistics etc..
|
Combined with Sysmon and NetFlow, the process tracking feature can provide powerful insights into process activity, including associated network activity, on monitored systems. |
Requirements
This feature works by intercepting Audit Success events that are written to the security event log when Audit Process Tracking is enabled in the Local Security Policy of the monitored host. As such, some requirements need to be met before process tracking can function properly. Please see requirements for details.
Configuration
Tracking All Processes (with exceptions)
Select "Track all processes except those listed below" to monitor all processes. To exclude processes click the + button and specify the process executable to exclude (see info box below).
Tracking only selected Processes
Select "Only track processes listed below" and click the + button to add processes that should be monitored to the list.
|
Processes need to be added either with a wildcard (e.g. *\postgres.exe) or by using the full path (e.g. C:\Program Files (x86)\EventSentry\postgresql\bin\postgres.exe). |
Include command line
Captures the command line of processes when enabled. The process command line is either parsed from event 4688 if configured in the OS and present (search for "Process Command Line" here for more details) or queried from the running process. The latter will only work if the process is still running when the agent attempts to obtain this information, and may not work for processes that are only active for a very short amount of time (e.g. less than 1 second).
|
Performance Warning: If the process command line is not available in event 4688 then EventSentry may utilize WMI to obtain the process command line. This may incur a significant performance penalty, especially on systems with a high process activity. |
|
Security Warning: Use this option with care, command line arguments may include sensitive information such as usernames and passwords. |
Sysmon network events
EventSentry can be integrated with the Sysmon v7.x utility from Windows Sysinternals.
Checksum
When enabled, calculates the specified type of checksum (SHA 256, 384 or 512) of every executed process and makes that available in the reporting. Checksums can be correlated with sites like virustotal.com.
It's recommended to enable optimization to reduce the potential CPU load the EventSentry agent has on the monitored system, disable the optimization in high security environments. When optimization is enabled, the agent will temporarily cache the checksum of frequently executed processes. Standard optimization will access cached checksums if the file write time has not changed since the last time a checksum was generated; high optimization will access cached checksums if the same file was executed within the last 5 seconds and if the write time has not changed.
Enabling Process Tracking in the OS
Since process tracking needs to be enabled in the Operating System you can configure the agent to active it automatically if it isn't already activated. Please see requirements for more information.
Database
Select the database action which points to the correct database.
Additional Features
If the specified database is temporarily unavailable, then EventSentry will cache the pending process tracking data and run the transactions when the database server becomes available again.
