Incident Graph
The incident graph displays an interactive node graph visualization of selected incidents, including detections, computers, executables, and a timeline of events. Right-click any node to open a context menu with actions for that node. Nodes can be moved and repositioned. Use the Graph menu for additional actions:
•Fit—Center the graph to display all nodes.
•Reset—Return all nodes to their initial positions.
•Redraw—Refresh the graph information.
The screen's right side displays additional information for the selected graph element:
•Incident—Comprehensive details about the incident.
•Timeline—Shows time-stamped details of incident changes, highlighting the graph node for the selected timeline event. Check which items should be shown:
oThreat indicators—Display threat indicators in the timeline if checked.
oBehaviours—Show threat behaviors in the timeline if checked.
oAnalyst actions—List analyst actions in the timeline if checked.
•Details—Comprehensive information about the selected element in the graph.
•Process tree—Displays selected element's position from the graph in the process tree.
•Related objects—List of related objects to the selected element in the graph.
See the Incident Graph example.
Graph elements
Nodes
Process |
|
The node contains the process name and a PID. |
|
Executable/Module |
|
Command line |
|
File |
|
Link/URL |
|
IP |
|
Computer |
|
User |
|
User and Computer |
A source node is the initial entity signaling suspicious activity and may have multiple circles around it. There can be multiple source nodes in a graph.
The node's color indicates the highest severity detection linked to it:
Informational |
|
Warning |
|
Threat |
Lines
Lines between nodes represent detections linking them. Thicker lines indicate more detections. Numbers on the lines show detection counts (no number means one detection).