EDR: “(Unknown)” Events in Process Search Results
search cancel

EDR: “(Unknown)” Events in Process Search Results

book

Article ID: 288264

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • Occasionally a process will appear in search results with the name "(unknown)".
  • The process graph may show the parent as "top"
  • Process Start Time is similar to 1969-12-31T23:59:59:999Z
  • PID is -1

Environment

  • EDR Server: All Versions

Cause

The "(Unknown)" Events appearing on a Process Search is expected. This "(Unknown)" process was already running at the time the sensor was installed on the host.

Resolution

  • Because the sensor was not aware of the start and execution of these events, not all of the metadata is available such as process name or start time. This will result in the Process showing as "(Unknown)" and the Start Time will be inaccurate.
  • Often these "(Unknown) processes will spawn children after the sensor is running. The child processes may contain metadata that will include information about the "(Unknown)" parent process, such as parent_name, that could provide additional insight during an investigation.
Powered by Wolken Software