Skip to main content

Investigate events with Flight Recorder in OneView

The information shown from a Flight Recorder Search is intended for retrospective analysis, investigation, and how to identify which of your endpoints are affected or related to processes. These results inform your decision making for what is best for your unique business environment. These results display in the Types of Events bar graph, and a corresponding list of processes in the Endpoints Processes table.

NOTICE - By default, Flight Recorder data retention is disabled. Enable this feature by selecting Flight Recorder Search checkboxes for each supported OS in Endpoint Detection and Response policy settings.

Types of Events graph

The Types of Events bar graph shows the total occurrences of your search query across the search time frame you specified. The color coded bars show which events types were found in the query. You can hover your cursor over each of the bars to see the total events on your endpoints. These events are broken down into:

  • Process: Shown as dark blue. ( Oval_Purple.png )
  • Registry: Shown as yellow. ( Oval_Yellow.png )
  • FileSystem: Shown as blue. ( Oval_Blue.png )
  • Network: Shown as orange. ( Oval_Orange.png )
  • Script Activity: Shown as light blue. ( pink.png )
  • Network Event: Shown as pink. ( light_blue.png )

Endpoints Process 

The Endpoints Process section shows more detailed information about the events detected on endpoints to inform your decision making. You can check the boxes next to a process or file and select the Isolate Endpoint(s) action from the top-right Actions drop-down menu if you think they are a risk to your network. You can also select Remove Isolation from the same drop-down. 

You can perform the Check Virus Total or Upload File action for any process or file from this window. This sends the file to our sandbox analysis section for review, for more information, see Sandbox Analysis in Nebula.

The Process section displays the following information:

  • Process Path: The name and location of the process found by the Flight Recorder. Click a process path to view a visual representation of the selected process. Each node is selectable with slide-out details, including Raw Event info. This shows details just like the Process Graph for Suspicious Activity Details. For information on the Process Graph, see Suspicious Activity Details in Malwarebytes Endpoint Detection and Response.
  • Endpoint: The name of the endpoint. 
  • First Seen: Shows a time stamp when the event was first detected.
  • Last Seen: Shows a time stamp when the event was last detected.
  • PID: The unique number that identifies each running process on an endpoint.
  • Events: Shows the different types of events found by Flight Recorder. Hover your cursor over the color-coded icons to see the number of each event type. Colors correspond with the Types of Events graph.
  • User Account: The last user signed into the endpoint. 
  • Status: Status of the endpoint, whether a scan is needed or remediation is required. 
  • Actions: Available actions which can be performed on the endpoint. See the top section for more information. 
  • Group: Shows the endpoint's group.
  • MD5: The MD5 cryptographic hash value of the file, if applicable. 
  • OS Platform: Shows the operating system of the endpoints in the results list.
  • Policy: Shows the endpoint's policy.
  • SHA1: The SHA1 cryptographic hash value of a file, if applicable.
  • SHA256: The SHA256 cryptographic hash value of a file, if applicable.
  • SHA512: The SHA512 cryptographic hash value of a file, if applicable.

Watch this video to learn how to investigate events in Flight Recorder:

 

Return to the Malwarebytes OneView User Guide.

Related articles