Explore an Entity Graph
investigations alerts entity graph
Entity Graph is a visual representation that correlates relevant data with involved entities to help analysts understand the scope and identify the root cause of security incidents.
Use the Entity Graph to understand entity relationships and details, easily see connections across different data sources, and view how entities are a part of an attack. With Entity Graph, analysts can gain valuable insights and expedite the investigation process.
Access Entity Graph from:
-
The top right of an investigation
Open Entity Graph from an Investigation
-
The top right of an alert
Open Entity Graph from an Alert
-
The Actions column of the Investigations table
Open Entity Graph from Investigations Table
Features ⫘
With the help of Entity Graph, you can:
- Visualize how entities are connected. The visual graph displays entity relationships, allowing you to easily see connections across different data sources. This provides a holistic view of how entities are involved in an attack.
- Select an entity node to gain additional insights about the entity, such as its properties, related alerts, related entities, and threat intelligence, if available.
- Select an edge to understand the alerts and events that are part of that relationship.
Explore Entity Graph ⫘
Entity Graph is divided into two main sections: the interactive graph on the left panel and the tabs on the right.
Entity Graph ⫘
The interactive graph presents the entities as nodes connected by edges, directional lines representing the relationship or activity between the entities.
Tip
See Entity Types for descriptions of supported entities and Relationship Types for descriptions of possible relationships.
Entity Graph Overview
- Each node represents an entity. Select the node to view the entity details in the Details tab.
- Each edge represents the relationship or activity between the connected entities with an arrow indicating direction. Select the line to view the relationship details in the Details tab.
- Edge names followed by a number indicate the activity occurred that many times.
- A Threat Intelligence icon appears in the graph and tables for nodes that have threat intelligence available that indicate they are potentially malicious.
- A blue number indicates an associated number of collapsed outgoing edges; double-click the node to expand the outgoing edges.
- A blue minus sign (−) indicates outgoing edges are expanded; double-click the node to collapse the outgoing edges.
Use the following controls to adjust the graph:
- Adjust Panels — Select and drag the divider between the graph and the tabs to adjust the size of the panels, or select the Collapse/Expand icon at the top of the divider to collapse or expand the tabs panel.
- Adjust Graph Layout — Select and drag a node to adjust the graph layout.
- Move Graph — Select and drag outside a node to move the graph.
- Zoom — Select the Zoom buttons at the left of the graph or scroll within the graph to zoom in or out.
- Center & Fit — Select the Center and Zoom to Fit button at the left of the graph to reset the view to fit the window.
- Download — Select the Download Image button to save the graph to a PNG file.
Details Tab ⫘
The Details tab on the right panel populates when you select an entity, relationship, or alert from a tab or the graph on the left. See the following tab sections for more information.
Entities Tab ⫘
The Entities tab on the right panel displays a table of all entities associated with the investigation or alert. Use the checkboxes at the left of the rows to select one or more entities to highlight the entities and their relationships in the graph. As you select nodes from the graph on the left, the table updates to select those entities.
Entities Tab
Select an entity name to open the entity details in the Details tab.
To customize the Entities table, select the Menu icon next to a column header to perform the following actions:
- From the Menu tab of options, choose to Pin, Autosize, and Reset columns.
- From the Filter tab, when available, enter text or use the checkboxes to filter the content of that column.
- From the Column tab, choose which columns appear in the table.
Tip
See Entity Types for descriptions of supported entities.
Relationships Tab ⫘
The Relationships tab on the right panel displays a table of all entity relationships. Use the checkboxes at the left of the rows to select one or more relationships to highlight in the graph. As you select edges from the graph on the left, the table updates to select those relationships.
Relationships Tab
Select the relationship type from a row to open the relationship details in the Details tab, or a source or target entity to open the entity details in the Details tab.
To customize the Relationships table, select the Menu icon next to a column header to perform the following actions:
- From the Menu tab of options, choose to Pin, Autosize, and Reset columns.
- From the Filter tab, when available, enter text or use the checkboxes to filter the content of that column.
- From the Column tab, choose which columns appear in the table.
Tip
See Relationship Types for descriptions of possible relationships.
Alerts Tab ⫘
The Alerts tab on the right panel displays a table of all alerts associated with the investigation. Use the checkboxes at the left of the rows to select one or more alerts to highlight the entities and relationships that belong in those alerts. As you select entities, the table updates to select the related alerts.
Alerts Tab
Select an alert title to open a summary of the alert in the Details tab with the option to open the full alert in a new tab. For more information, see Alert Details.
To customize the Alerts table, select the menu icon next to a column header to perform the following actions:
- From the Menu tab of options, choose to Pin, Autosize, and Reset columns.
- From the Column tab, choose which columns you want to appear in the table.
Explore Tab ⫘
The Explore tab on the right panel populates when you select the Explore Related Entities option from entity details and displays alerts, events, and investigations related to the selected entity. The search criteria defaults to entities found within 15 minutes of the first connected event. Adjust the criteria using the fields at the top and then select Search.
Adjust Explore Tab Search
While reviewing related alerts and events in the tables on the right, select one or more using the checkboxes to the left and then choose one of the following options:
- Show in Graph — Add the entities and relationships associated with the related alert or event to the graph. Related alerts and events that have been added to the graph but not added to the investigation are denoted with a grey icon at the left of the row
- Add to Investigation — Add the alert or event to the investigation. Related alerts and events that have been added to the investigation are denoted with a blue icon at the left of the row.
Related Entities Options
View Entity Details ⫘
Select an entity node from the graph or entity name from the table to open the entity details in the Details tab to gain additional insights.
The entity details contain basic properties of the entity and threat intelligence, if available for that entity.
Entity Details
Tip
A Threat Intelligence icon appears in the graph and table for nodes that have threat intelligence available that indicate they are potentially malicious.
Select Explore Related Entities from the details to search for events, alerts, and investigations related to the selected entity in the Explore tab.
Explore Related Entities
View Entity in CEL Explorer ⫘
From the Actions menu, select View in CEL Explorer to test the outcome of CEL expressions against the data being viewed for use in Automations configurations. For more information, see CEL Explorer.
View Entity in CEL Explorer
Take Response Actions on Entities ⫘
If relevant automations have been configured in your tenant, you can perform response actions on an entity. Select the menu icon from either the Actions column of the Entities tab table or from the entity Details tab.
Take Response Action from Entities Table
Take Response Action from Details Tab
Tip
You can also take response actions on entities from the Entities sub-tab of the Evidence tab of an investigation. See Work an Investigation for more information.
Entity Relationships ⫘
The edge, or line connecting two entities, represents the relationship or activity between those two entities. Edges may be colored to represent the outcome of the activity when applicable:
- Red represents that the activity failed, such as a failed login.
- Green represents that the activity succeeded, such as a successful login.
Entity Relationships
When an edge label is followed by a number, the activity was attempted that number of times. For example, in the preceding image, the highlighted user was successfully authenticated by the 14.98.176.182 IP two times.
View Relationship Details ⫘
Select an edge from the graph or the relationship type from the Relationships tab table to open the relationship details in the Details tab to gain additional insights.
The relationship details contain a detailed summary of the relationship, which may include source and target entities and related alerts.
Relationship Details
Entity Types ⫘
The following are the types of entities available in Entity Graph.
Entity | Description |
---|---|
AuthDomain |
An authentication domain, often referred to as an auth domain, is a logical grouping of users and systems for the purpose of authentication and authorization. It helps manage access control. |
Certificate |
A certificate is a digital document used to verify the identity of entities in a network, typically in the context of secure communication. It can include information about the certificate holder and the certificate issuer. |
CloudObject |
A cloud object typically represents a specific item or file stored in a cloud environment. This could be a document, image, or any other digital object hosted in a cloud storage system. |
CloudResource |
A cloud resource refers to any digital asset or component hosted in a cloud environment. This can include virtual machines, storage buckets, databases, and other cloud-based services. |
DNSServer |
A DNS (Domain Name System) server is a network server that translates domain names into IP addresses, enabling users to access websites and resources using human-readable names. |
DomainName |
A domain name is a human-readable label used to access resources on the internet. It often represents websites or online services and is linked to one or more IP addresses. |
Email |
An email represents an electronic message sent between users over a network. It includes sender and recipient information, message content, and metadata. |
EmailAddress |
An email address is a unique identifier used to send and receive emails. It typically consists of a username followed by the "@" symbol and a domain name. |
File |
A file refers to a digital document or data stored on a computer or server. It can be of various types, including text, images, audio, or executable files. |
FileHash |
A file hash is a cryptographic value generated from the content of a file. It is used to verify the integrity of files and detect changes or tampering. |
Function |
In the context of cybersecurity, a function typically refers to a software function or routine that performs a specific task or operation within a program or system. |
Host |
A host is a computer or device on a network that can send or receive data. In the context of cybersecurity, it refers to a system that is being monitored for security events and may include servers, workstations, routers, and other networked devices. |
IP Address |
An IP address is a numerical label assigned to each device connected to a computer network. It serves as an identifier for communication within the network. |
Process |
A process is a running instance of a program on a computer. It represents the execution of a set of instructions and can be monitored for behavior and security-related events. |
RegistryKey |
A registry key is a hierarchical structure used in Windows operating systems to store configuration settings and other system-related information. |
ScheduledTask |
A scheduled task is an automated job or process that is set to run at specific times or intervals on a computer or server. |
Script |
A script is a set of instructions written in a scripting or programming language. It can automate tasks, perform actions, or execute specific functions on a computer or within a software environment. |
Service |
A service refers to a software component or application that runs in the background and provides specific functionality or features to a computer or network. It can include services like web servers, database servers, and more |
TaskAction |
A task action represents a specific action or operation associated with a scheduled task, such as running a script or program. |
User |
A user is an individual or entity with authorized access to a computer system, network, or application. Users interact with these systems, and their activities are monitored for security and operational purposes. |
Relationship Types ⫘
Relationship | Description | Examples |
---|---|---|
Auths | The Auths relationship stands for authentication. It suggests that one entity, often a user or process, authenticates another entity, such as a user or host. |
|
Connects | The Connects relationship indicates that one entity establishes a connection with another entity. This connection typically involves communication or data exchange between the entities. |
|
ConnectsWith | The ConnectsWith relationship represents a Connection relationship in conjunction with a specific entity. |
|
Executes | The Executes relationship indicates that one entity initiates and runs processes. It highlights the ability of an entity, such as a user or host, to execute and manage processes. |
|
ExecutesAs | The ExecutesAs relationship signifies that one entity, typically a host, executes processes while assuming the identity or permissions of another entity, often a user. This relationship reflects the execution context of processes on a system. |
|
ExecutesCloudEvent | The ExecutesCloudEvent relationship indicates that a cloud user entity initiates and performs cloud-related events or actions on cloud objects or resources. |
|
ExecutesCloudEventAs | The ExecutesCloudEventAs relationship suggests that an IP address entity executes cloud-related events while assuming the identity or context of a cloud user. It reflects actions in cloud environments. |
|
Has | The Has relationship denotes ownership or possession. When used in context with files or resources, it implies that one entity possesses or is associated with another entity. |
|
HasParent | The HasParent relationship represents a hierarchical or parent-child relationship between processes. It indicates that one process is a child or sub-process of another, typically showing process dependencies. |
|
HTTPRequests | The HTTPRequests relationship represents HTTP interactions between entities, typically users, hosts, or processes, where one entity initiates and sends HTTP requests to another entity over a network. |
|
HTTPRequestsWith | The HTTPRequestsWith relationship represents the connections and interactions between entities, often users or hosts, and a particular entity that involves sending HTTP requests in conjunction with specific IP addresses. |
|
InjectsThread | The InjectsThread relationship represents an action where one entity, typically a process, injects or creates a new thread within another entity, often for the purpose of hijacking execution. |
|
Links | The Links relationship signifies a connection between two entities, where one entity points to or references another entity, often providing additional context or information about it. |
|
Manages | The Manages relationship signifies that one entity has control, oversight, or responsibility for another entity within a given context or domain. |
|
Modifies | The Modifies relationship represents an action where one entity makes changes or modifications to another entity. |
|
ModifiesFile | The ModifiesFile relationship suggests that a process changes or modifies a file. It signifies the action of altering the content or attributes of a file. |
|
Persists | The Persists relationship indicates that one entity continues to exist associated with another entity over time, typically in a storage or persistence context. |
|
ProvidesDNS | The ProvidesDNS relationship signifies that a DNS server entity offers DNS resolution services for domain names. It reflects the role of a DNS server in providing DNS-related information. |
|
Publishes | The Publishes relationship implies that an entity, such as an IP address or email address, shares or disseminates specific content or information. It reflects the action of making content available to others. |
|
QueriesDNSWith | The QueriesDNSWith relationship indicates that a process or host queries a Domain Name System (DNS) server using a specific IP address. It represents the action of seeking DNS information using a particular address. |
|
QueriesDNS | The QueriesDNS relationship signifies that an entity, usually a process or host, queries a DNS server or domain name for DNS-related information. It reflects the action of looking up DNS records. |
|
Resolves | The Resolves relationship indicates that a domain name entity is resolved to an IP address. It highlights the translation of a human-readable domain name into a numerical IP address. |
|