Terminating processes

The Terminate process response action allows you to remotely terminate processes on devices. You can run the Terminate process response action for observables or assets.

You can run the Terminate process response action in one of the following ways:

• From alert or incident details
• From a device details
• From an investigation graph

You can also configure the response action to run automatically when creating or editing a playbook.

To run the Terminate process response action, you must have one of the following XDR roles: Main administrator, Junior analyst, Tier 1 analyst, Tier 2 analyst, Tenant administrator.

It might take up to 15 minutes to launch a response action due to the synchronization interval between the managed device and Administration Server.

Running the Terminate process for observables

To run the Terminate process for observables:

1. Do one of the following:
   • In the main menu, go to Monitoring & reporting → Alerts. In the ID column, click the link with the alert ID you need.
   • In the main menu, go to Monitoring & reporting → Incidents. In the ID column, click the link with the incident ID you need.
2. In the window that opens, go to the Observables tab.
3. In the list of observables, select one or several observables for which you want to terminate the process. The observables may include:
   • MD5
   • SHA256
4. Click the Terminate process button.
5. In the Terminate process pane that opens, select assets for which you want to terminate the process.
6. Click the Terminate button.

The process is terminated.

Running the Terminate process for assets

To run the Terminate process for assets:

1. Do one of the following:
   • In the main menu, go to Monitoring & reporting → Alerts. In the ID column, click the link with the alert ID you need.
   • In the main menu, go to Monitoring & reporting → Incidents. In the ID column, click the link with the indent ID you need.
2. In the window that opens, go to the Assets tab.
3. In the list of assets, select one or several devices you need.
4. Click the Select response action button, and then click Terminate process.
5. In the Terminate process pane that opens, specify one of the following parameters:
   • PID. ID of the process.

     For the Terminate process by PID response action with fixed scope, if the assets of the response action belong to the same Administration Server, you can run this response action for only one asset at a time.

     For the Terminate process by PID response action with modifiable scope, you cannot run this response action.

   • Hash (MD5 or SHA256 hash algorithm) and Path to the process file.
6. Click the Terminate button.

The process is terminated.

Running the Terminate process from an investigation graph

The option is available if the investigation graph is built.

To run the Terminate process from an investigation graph:

1. In the main menu, go to Monitoring & reporting → Incidents. In the ID column, click the link with the incident ID you need.
2. In the Incident details window that opens, click the View on graph button.

   The Investigation graph window opens.

3. Click the name of the alert you need, and then click View details.
4. In the window that opens, go to the Observables tab.
5. In the list of observables, select one or several observables for which you want to terminate the process. The observables may include:
   • MD5
   • SHA256
6. Click the Terminate process button.
7. In the Terminate process pane that opens, select assets for which you want to terminate the process.
8. Click the Terminate button.

The process is terminated.