Environment
- EDR( formerly CB Response) Server: All Versions
- EDR Sensor: All Versions
- Linux: All Supported Versions
- Microsoft Windows: All Supported Versions
- Apple macOS: All Supported Versions
Question
Why are some processes listed as (unknown) in the process tree?
Answer
This is a technical limitation of the sensor. Potential causes include:
- Processes that are already running prior to Sensor startup will be missing ProcessStart data and shows as unknown
- Sensor sends malformed event messages to server
- Server purges first segment of long running process after MaxEventStoreDays (pre-6.x sensor only)
- Server is shutdown while event data is being processed in datastore
Additional Notes
- The 6.3 Windows sensor addresses multiple data integrity issues that cause a running process to appear as unknown
- Despite the items listed, EDR still typically captures 99.9% of all events that occur
- However, for the 0.1% dropped, the Console UI renders these as Unknown Processes
Related Content
