Process Tree Visualization
The process tree view provides an interactive, hierarchical visualization of all running processes on an endpoint. Unlike commercial EDR products that show static snapshots, AuroraSOC's process tree is real-time and AI-annotated.
Features
Interactive Hierarchy
- Expand/collapse individual process branches
- Click to select and view detailed process information
- Search/filter by process name, PID, or command line
- Real-time updates via gRPC streaming (processes appear as they spawn)
Risk Indicators
Each process node displays:
- Risk score (0-100) with color-coded badges
- MITRE ATT&CK technique badges when techniques are associated
- Process state indicator (Running, Sleeping, Zombie, Stopped)
Detail Panel
Selecting a process reveals:
- Full command line
- Executable path
- Working directory
- UID/GID
- Start time
- Risk explanation from the AI agent
Kill-Chain Coloring
Processes are color-coded by kill-chain stage when MITRE-tagged:
- 🟡 Reconnaissance (yellow)
- 🟠 Exploitation (orange)
- 🔴 Lateral Movement (red)
- 🔴 Exfiltration (dark red)
How It Works
- The EDR sensor daemon collects process information from
/proc(Linux) or ETW (Windows) - The
LocalManagementgRPC service exposes the process tree viaGetProcessTree - The iced GUI or web console renders the tree with risk annotations
- The Endpoint Security agent can annotate processes with risk verdicts and MITRE techniques
Usage
In the iced GUI
Navigate to Processes in the sidebar. The tree loads automatically from the local sensor.
In the Operator Console
Navigate to EDR → Endpoints → [endpoint] → Processes tab. The tree loads from the backend API.
Filtering
- Type in the search box to filter by process name or PID
- The filter applies to all levels of the hierarchy
Comparison
| Feature | CrowdStrike | SentinelOne | AuroraSOC |
|---|---|---|---|
| Real-time updates | ❌ Static | ❌ Static | ✅ Live streaming |
| AI annotations | ❌ | ❌ | ✅ Risk + MITRE |
| Risk scoring | Basic | Good | ✅ Explainable |
| Click to investigate | ❌ | ❌ | ✅ Agent dispatch |
| Air-gapped | ❌ | ❌ | ✅ |
API
GET /api/v1/edr/investigation/{sensor_id}/process-tree
?pid_filter=<pid>
&name_filter=<name>
Returns a ProcessTreeResponse with hierarchical process data.