Parent process information is missing for Firefox IPS events in Symantec Endpoint Detetction and Response
book
Article ID: 189587
calendar_today
Updated On:
Products
Endpoint Detection and Response
Issue/Introduction
When reviewing an Incident for a detection related to Firefox activity, it does not show Process Lineage information for the Parent's PID (Process ID).
Cause
This is due to how Firefox is launched. Firefox launches as a root process, so it has no parent process. Chrome and IE/Edge by default launch from the explorer.exe process.
Resolution
This is by design. The SEP client can only provide SEDR with event information for the actor when the event involves Firefox activity.