CSP obviously doesn't have the best documentation but more and more customers are turning to CSP and in turn Symantec is putting more resources behind it.
CSP IPS policies have something called Profile Lists for "snapshotting" system processes. See page 37 of the ips_ref.pdf included with the product documentation. I included it below. Something it does not mention is that you have to adjust your configs to pass Profile events from the agent to the server.
Additionally, it is recommended that you first apply an IPS policy in Log Only mode and tune events appropriately. Only then you should turn on enforcement. You can do this by Enabling/Disabling the "Disable Prevention" option in the Global Policy Options.
Profile lists
This option profiles processes. Profiling records all actions taken by a process.
You can use profile data to create policy controls for a process.
Note: Profiled processes are given full privileges. The prevention policies
provide no protection for processes that are being profiled.
The profile options are as follows:
Profile specific processes:
Enable this option to profile a process. In the list of processes,
specify the full path to the process executable.
You can use the asterisk (*) as a wildcard character. You can
specify optional process attributes along with the full path.
The profile lists option includes process logging options. You use process
logging options to configure process logging for processes that are being
profiled.
See “Process logging options” on page 43.