All SIEM triggered alerts do the same for Endpoint injected events. Detect and Prevent should be clearly marked. In this example "Suspicious WMI Image Load from MS Office" is going to be used.
It clearly calls out Terminated Process which is not the case at all. No events happen in detect other then flagging the event.
This can and is misleading to anyone that see it. If the agent that sends the event is in detect not prevent this should be marked clearly as it's not a terminated process but an action that WOULD have been taken.
The snip was from my own workstation and Excel has not been closed by anything except me. Looking at the time stamps the file that it is referencing I know wasn't closed at all as it was open and actively being worked on for over an hour.
Showing a process as terminated in analyzer is not intended to be associated with the detect or prevention capabilities of endpoint, as this view can be used with any underlying data with certain fields defined, such as winlog beat events. Since it sounds like you closed excel eventually, the analyze event view will grab all process events in the time range you have selected on the page, and show a process as terminated if a corresponding termination event exists at any point in that time range. In other words, the color of the process icon is showing the last known state of each, not the state at the time of an alert, as child processes could take an unknown amount of time to do things, and the view includes as much information as possible by default. If you change the time range on the page to filter out the termination event and have the upper bound to when excel was still running, it should filter out the termination event. In prevent mode, the process will never run and generate an event, and so won't be shown in this view.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
