Mapping Applications

You may have noticed lists of running processes, installed applications, and weird terms like “application context”. This document will explain how the product maps running processes to higher level software/applications installed.  The process is similar for both Linux and Windows devices.   

Definitions:


Application Context: this is the application we have mapped a process to be running within. For Linux devices (Generic Servers) we also include the description of the application in parenthesis in this field. This corresponds to src and dest app context in connectivity data AND Application Group on the Search Applications & Processes page.

Pro tip: if you search for a context of installed you will see which applications were pulled from the registry

Name: the executable that has been stripped of the command line information. This corresponds to src and dest app name in connectivity data AND Appliation Name on the Search Applications & Processes page.

Instance: we can pull the custom name of the application from the commandline of a few applications (e.g. Microsoft IIS).

Version: this is the version of the application collected from the registry. This will display as unknown if we are not able to successfully map the running process to the registry.

Available Reports


This data is available for reporting and exploration in several areas, the main ones are:

  1. Assets: when clicking to view the details of an individual device you will see a table reporting on these areas.

  2. Device Details: this is specific to an individual device and can be found through either right-clicking a device on a visualization or visiting the page directly.

  3. Search Applications & Processes: this page is useful for doing broad searching across the environment. You can search for either servers that match the search term or the specific application data that matches

  4. ApplicationStackProcess: this report is available in the “Available Reports” section. This is the best report for a consolidated export of all collected application data. You also have more filtering functionality within this report

The Mapping Process


  1. Pull registry (or rpm) of installed programs from system.  The key fields pulled for this purpose are install path and display name.  (note: all installed applications pulled from the registry will have the application context of “installed”)

  2. Collect running processes

  3. Perform a fuzzy match on the file path of the running process to the install path of the installed applications.  If a match is found to a certain degree of confidence then map the display name pulled from the registry to the application context.

  4. If 3 fails (as not all entries in the registry have install paths or not all applications are in the registry), perform a fuzzy match on the display name into the file path of the running process.  If a match is found to a certain degree of confidence then map the display name pulled from the registry to the application context.

  5. If 4 fails then fall back to an internally curated database of regular expressions for associations

  6. If 5 fails then label the context as “unknown”

Pro Tip: if we successfully mapped back to the registry for Windows devices the Application Name will have “.exe” appended or for Linux devices the description pulled from the rpm will be in Application Context