Incident Graph
The incident graph displays interactive node graph visualization of selected incidents with listed detections, computers, executables and a timeline describing the sequence of events. Right-click on any node in the graph to open a context menu containing a drop-down menu of actions. You can move and reposition any node in the graph. Use the Graph menu for additional actions:
•Fit—Center the graph to display all nodes on the screen.
•Reset—Reset all nodes to their initial state.
•Redraw—Update the displayed information.
The screen's right side provides additional information based on the selected element:
•Incident—Displays comprehensive details.
•Timeline—Shows detailed time-stamped information for Incident changes. The timeline is organized from the latest event to the oldest. Highlights the node in the graph based on the selected event.
•Details—Contains comprehensive information about the selected element.
•Process tree—Displays the selected element's position from the graph in the process tree.
•Related objects—Lists related objects to the selected element.
See the Incident Graph example.
Graph elements
Nodes
Process |
|
The node contains the process name and a PID. |
|
Executable/Module |
|
Command line |
|
File |
|
Link/URL |
|
IP |
|
Computer |
|
User |
|
User and Computer |
A source node is an entity that was the first (or one of the first) to signal suspicious activity (incident). There may be more than one source node in a graph. The source node has multiple circles around it.
The node's color represents the highest severity detection tied to the node:
Informational |
|
Warning |
|
Threat |
Lines
The lines between nodes represent detections that tie the nodes together. The thicker the line between the nodes, the more detections it contains. The number on the line represents the number of detections that have both nodes present (no number means one detection).