search cancel

Parent process information is missing for Firefox IPS events in Symantec Endpoint Detetction and Response

book

Article ID: 189587

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

When reviewing an Incident for a detection related to Firefox activity, it does not show Process Lineage information for the Parent's PID (Process ID).

Cause

This is due to how Firefox is launched. Firefox launches as a root process, so it has no parent process. Chrome and IE/Edge by default launch from the explorer.exe process.

Resolution

This is by design. The SEP client can only provide SEDR with event information for the actor when the event involves Firefox activity.