Process Tree Dashboard
uberAgent ESA assigns each process a GUID. Such a unique ID is necessary because the operating system’s process IDs are reused. By leveraging process GUIDs, uberAgent can track processes throughout their lifetime, from the start (sourcetype
uberAgent:Process:ProcessStartup) to the end (sourcetype
uberAgentESA:Process:ProcessStop) as well as during the runtime (sourcetype
uberAgent ESA not only identifies unique process instances; it also keeps track of parent-child relationships. All process start and stop events include names and GUIDs of the parent process.
A process tree is an essential tool for understanding process creation behavior. uberAgent ESA comes with a powerful Process Tree dashboard that makes it easy to identify a process’ descendants, listing important process properties such as the process lifetime, the command line, the elevation status, or the name and version of the application the process is a part of. Additionally, the number of child processes is calculated, both direct children as well as their children recursively.
By selecting any process in the tree, it becomes the new root, and the table updates to show its child processes. This makes it possible to browse through process hierarchies.