🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Explore an Investigation in Detail with Entity Graph

investigations entity graph


Entity Graph is a live visual representation that correlates relevant data with involved entities to help analysts understand the scope and identify the root cause of security incidents.

Use an Entity Graph to understand entity relationships and details, easily see connections across different data sources, and view how entities are a part of an attack. With Entity Graph, analysts can gain valuable insights and expedite the investigation process.

To access an Entity Graph, select Entity Graph from the top right of an investigation:

Open Entity Graph

Open Entity Graph

Features

With the help of Entity Graph, you can:

Explore Entity Graph

Entity Graph is divided into two main sections, the interactive graph on the left panel and the Entities and Alerts tabs on the right.

Entity Graph

The interactive graph presents the entities associated with the investigation as nodes connected by edges, directional lines representing the relationship or activity between the entities.

Tip

See Entity Types for descriptions of supported entities and Relationship Types for descriptions of possible relationships.

Entity Graph Overview

Entity Graph Overview

  1. Each node represents an entity associated with the investigation. Select the node to view the entity details side drawer.
  2. Each edge represents the relationship or activity between the connected entities with an arrow indicating direction. Select the line to view the edge details side drawer.
  3. Edges prepended by a number indicate the action occurred that many times.
  4. A blue minus sign (−) indicates outgoing edges are expanded; double-click the node to collapse the outgoing edges.
  5. A blue number indicates an associated number of collapsed outgoing edges; double-click the node to expand the outgoing edges.

Use the following controls to adjust the graph:

Entities Tab

The Entities table on the right panel displays all entities associated with the investigation. Use the checkboxes at the left of the rows to select one or more entities, or select those entities from the graph to highlight the entities and relationships in the graph.

Entities Tab

Entities Tab

Select an entity name to open the entity details side drawer.

To customize the Entities table:

Alerts Tab

The Alerts table on the right panel displays all alerts associated with the investigation. Use the checkboxes at the left of the rows to select one or more alerts to highlight the entities that belong in those alerts. As you select entities from the graph on the left, the table updates to select the related alerts.

Alerts Tab

Alerts Tab

Select an alert title to open a side drawer summary of the alert with the option to open the alert details in a new tab.

To customize the Alerts table:

View Entity Details

As you explore the visual graph to understand the entities and their relationships, select an entity node from the graph or name from the table to open the entity details side drawer to gain additional insights.

The entity details side drawer contains basic properties of the entity, related entities, related alerts and threat intelligence, if available for that entity.

Entity Details

Entity Details

Tip

A Threat Intelligence icon appears in the graph and table for nodes that have threat intelligence available that indicate they are potentially malicious.

Take Response Actions on Entities

If relevant automations have been configured in your tenant, you can perform response actions on an entity. Select the vertical ellipses from either the Actions column of the Entities table or from an entity details side drawer.

Take Response Action from Entities Table

Take Response Action from Entities Table

Take Response Action from Entity Details

Take Response Action from Entity Details

Tip

You can also take response actions on entities from the Entities sub-tab of the Evidence tab of an investigation. See Work an Investigation for more information.

Entity Relationships

The edge, or line connecting two entities, represents the relationship or activity between those two entities. Edges may be colored to represent the outcome of the activity when applicable:

Entity Relationships

Entity Relationships

When an edge label is prepended with a number, the activity was attempted that number of times. For example, in the preceding image, the highlighted host successfully executed a powershell.exe process three times, and executed a process as the user adrcobb once.

View Edge Details

Select an edge, or relationship line connecting two entities, to open the edge details side drawer to gain additional insights.

The edge details side drawer contains basic properties of the edge, including the status, source entity, and related alerts.

Edge Details

Edge Details

Entity Types

The following are the types of entities available in the Entity Graph.

Entity Description
AuthDomain
User Entity
An authentication domain, often referred to as an auth domain, is a logical grouping of users and systems for the purpose of authentication and authorization. It helps manage access control.
Certificate
User Entity
A certificate is a digital document used to verify the identity of entities in a network, typically in the context of secure communication. It can include information about the certificate holder and the certificate issuer.
CloudObject
User Entity
A cloud object typically represents a specific item or file stored in a cloud environment. This could be a document, image, or any other digital object hosted in a cloud storage system.
CloudResource
User Entity
A cloud resource refers to any digital asset or component hosted in a cloud environment. This can include virtual machines, storage buckets, databases, and other cloud-based services.
CloudUser
User Entity
A cloud user is an entity with authorized access to cloud resources and services. This entity may include individuals, employees, or automated processes interacting with cloud-based systems.
DNSServer
User Entity
A DNS (Domain Name System) server is a network server that translates domain names into IP addresses, enabling users to access websites and resources using human-readable names.
DomainName
User Entity
A domain name is a human-readable label used to access resources on the internet. It often represents websites or online services and is linked to one or more IP addresses.
Email
User Entity
An email represents an electronic message sent between users over a network. It includes sender and recipient information, message content, and metadata.
EmailAddress
User Entity
An email address is a unique identifier used to send and receive emails. It typically consists of a username followed by the "@" symbol and a domain name.
File
User Entity
A file refers to a digital document or data stored on a computer or server. It can be of various types, including text, images, audio, or executable files.
FileHash
User Entity
A file hash is a cryptographic value generated from the content of a file. It is used to verify the integrity of files and detect changes or tampering.
Function
User Entity
In the context of cybersecurity, a function typically refers to a software function or routine that performs a specific task or operation within a program or system.
Host
Host Entity
A host is a computer or device on a network that can send or receive data. In the context of cybersecurity, it refers to a system that is being monitored for security events and may include servers, workstations, routers, and other networked devices.
IP Address
User Entity
An IP address is a numerical label assigned to each device connected to a computer network. It serves as an identifier for communication within the network.
Process
User Entity
A process is a running instance of a program on a computer. It represents the execution of a set of instructions and can be monitored for behavior and security-related events.
RegistryKey
User Entity
A registry key is a hierarchical structure used in Windows operating systems to store configuration settings and other system-related information.
ScheduledTask
User Entity
A scheduled task is an automated job or process that is set to run at specific times or intervals on a computer or server.
Script
User Entity
A script is a set of instructions written in a scripting or programming language. It can automate tasks, perform actions, or execute specific functions on a computer or within a software environment.
Service
User Entity
A service refers to a software component or application that runs in the background and provides specific functionality or features to a computer or network. It can include services like web servers, database servers, and more
TaskAction
User Entity
A task action represents a specific action or operation associated with a scheduled task, such as running a script or program.
User
User Entity
A user is an individual or entity with authorized access to a computer system, network, or application. Users interact with these systems, and their activities are monitored for security and operational purposes.

Relationship Types

Relationship Description Examples
Auths The Auths relationship stands for authentication. It suggests that one entity, often a user or process, authenticates another entity, such as a user or host.
  • Users can have an Auths relationship with Host entities, signifying that they can be authenticated to hosts.
  • Users can have an Auths relationship with IpAddress entities, suggesting that they can authenticate from IP addresses.
  • Processes can have an Auths relationship with User entities, indicating that they can create authenticate requests for users.
Connects The Connects relationship indicates that one entity establishes a connection with another entity. This connection typically involves communication or data exchange between the entities.
  • Host entities can have a Connects relationship with an IP or other entities, indicating that they establish connections or communications with them.
  • Processes can have a Connects relationship with an IP or other entities, indicating their capacity to initiate connections or communication.
ConnectsWith The ConnectsWith relationship represents a Connection relationship in conjunction with a specific entity.
  • Processes can have a ConnectsWith relationship with IP addresses, indicating that they establish connections or communication with specific IP addresses.
  • Hosts can have a ConnectsWith relationship with IP addresses, signifying their ability to establish connections or communications with particular IP addresses.
Executes The Executes relationship indicates that one entity initiates and runs processes. It highlights the ability of an entity, such as a user or host, to execute and manage processes.
  • Hosts can have an Executes relationship with Process entities. This relationship indicates that the host is capable of executing or running processes.
  • Users can have an Executes relationship with Process entities. This relationship signifies that users can execute or run processes.
ExecutesAs The ExecutesAs relationship signifies that one entity, typically a host, executes processes while assuming the identity or permissions of another entity, often a user. This relationship reflects the execution context of processes on a system.
  • Hosts can have an ExecutesAs relationship with User entities. This relationship indicates that the host executes processes or actions on behalf of a specific user.
ExecutesCloudEvent The ExecutesCloudEvent relationship indicates that a cloud user entity initiates and performs cloud-related events or actions on cloud objects or resources.
  • Cloud users, such as individuals or service accounts, can execute cloud events. These events could involve actions like creating or modifying cloud resources, triggering automated workflows, or accessing data stored in the cloud.
  • Cloud objects, which are typically resources or components hosted in a cloud environment–such as virtual machines, databases, and storage buckets–can be the target of cloud events executed by cloud users. These events may include actions like starting or stopping a virtual machine, creating a database table, or uploading data to a storage bucket.
ExecutesCloudEventAs The ExecutesCloudEventAs relationship suggests that an IP address entity executes cloud-related events while assuming the identity or context of a cloud user. It reflects actions in cloud environments.
  • IP addresses often execute cloud-related events or actions within a cloud environment on behalf of cloud users or other entities.
  • Cloud users may delegate specific tasks or actions to IP addresses, which then execute those tasks as representatives of the users.
Has The Has relationship denotes ownership or possession. When used in context with files or resources, it implies that one entity possesses or is associated with another entity.
  • File: Files can have a Has relationship with FileHash entities. This relationship indicates that files have associated file hashes.
  • Host: Hosts can have a Has relationship with various entities, including File (indicating that hosts have files), User (indicating that hosts have users), and IpAddress (indicating that hosts have IP addresses).
  • Process: Processes can have a Has relationship with File entities. This relationship implies that processes may have associated files.
HasParent The HasParent relationship represents a hierarchical or parent-child relationship between processes. It indicates that one process is a child or sub-process of another, typically showing process dependencies.
  • A process can have a parent process, indicating that it was spawned or initiated by another process. This relationship helps establish the lineage of processes.
HTTPRequests The HTTPRequests relationship represents HTTP interactions between entities, typically users, hosts, or processes, where one entity initiates and sends HTTP requests to another entity over a network.
  • Users may send HTTP requests to access websites, web applications, or online services. They can have HTTPRequests relationships with IP addresses, domain names, or other entities related to web communication.
  • Hosts, such as servers or computers, can have HTTPRequests relationships when they serve web content or interact with web services. These relationships can be established with IP addresses, domain names, or other hosts.
HTTPRequestsWith The HTTPRequestsWith relationship represents the connections and interactions between entities, often users or hosts, and a particular entity that involves sending HTTP requests in conjunction with specific IP addresses.
  • Users may have HTTPRequestsWith relationships with specific IP addresses or domain names, indicating that they have communicated with these entities over HTTP.
  • Hosts, such as servers or computers, can have HTTPRequestsWith relationships with particular IP addresses or domain names, denoting that they have exchanged HTTP requests with these entities.
InjectsThread The InjectsThread relationship represents an action where one entity, typically a process, injects or creates a new thread within another entity, often for the purpose of hijacking execution.
  • A Process entity InjectsThread into another process, indicating that the first process initiates the creation of one or more threads within the second process.
Links The Links relationship signifies a connection between two entities, where one entity points to or references another entity, often providing additional context or information about it.
  • A File entity Links to another File, indicating that the first file contains a reference or hyperlink to the second file.
Manages The Manages relationship signifies that one entity has control, oversight, or responsibility for another entity within a given context or domain.
  • A User entity manages one or more other User entities, indicating that the managing user has administrative or supervisory control over the managed users.
Modifies The Modifies relationship represents an action where one entity makes changes or modifications to another entity.
  • A Process entity modifying a RegistryKey entity may signify that the process is making changes to a registry key.
ModifiesFile The ModifiesFile relationship suggests that a process changes or modifies a file. It signifies the action of altering the content or attributes of a file.
  • Process entities can modify files, indicating that they are making changes to files.
Persists The Persists relationship indicates that one entity continues to exist associated with another entity over time, typically in a storage or persistence context.
  • A File entity persists within a Host, indicating that the file remains stored on the host‘s file system.
  • A RegistryKey entity persists within a Host, indicating that the registry key is stored in the host‘s registry.
ProvidesDNS The ProvidesDNS relationship signifies that a DNS server entity offers DNS resolution services for domain names. It reflects the role of a DNS server in providing DNS-related information.
  • DNSServer entities can have a ProvidesDNS relationship, indicating that they serve as DNS servers, providing DNS resolution services to resolve domain names to IP addresses.
Publishes The Publishes relationship implies that an entity, such as an IP address or email address, shares or disseminates specific content or information. It reflects the action of making content available to others.
  • EmailAddress entities can publish emails, indicating that they are associated with sending or transmitting emails.
  • IP Address entities can publish emails, suggesting that they are associated with sending or transmitting emails.
QueriesDNSWith The QueriesDNSWith relationship indicates that a process or host queries a Domain Name System (DNS) server using a specific IP address. It represents the action of seeking DNS information using a particular address.
  • Process entities can have a QueriesDNSWith relationship with IpAddress entities, indicating that these processes query DNS with specific IP addresses.
  • Hosts can have a QueriesDNSWith relationship with IpAddress entities, signifying that these hosts query DNS with specific IP addresses.
QueriesDNS The QueriesDNS relationship signifies that an entity, usually a process or host, queries a DNS server or domain name for DNS-related information. It reflects the action of looking up DNS records.
  • IP Address entities can have a QueriesDNS relationship, indicating that they are involved in querying DNS for domain names.
  • Process entities can have a QueriesDNS relationship, signifying that they are querying DNS for domain names.
Resolves The Resolves relationship indicates that a domain name entity is resolved to an IP address. It highlights the translation of a human-readable domain name into a numerical IP address.
  • DomainName entities can have a Resolves relationship, indicating that they are involved in DNS resolution, typically resolving to IP addresses or other domain names.

 

On this page: