Explore an Investigation in Detail with Entity Graph

investigations entity graph

Entity Graph is a live visual representation that correlates relevant data with involved entities to help analysts understand the scope and identify the root cause of security incidents.

Use an Entity Graph to understand entity relationships and details, easily see connections across different data sources, and view how entities are a part of an attack. With Entity Graph, analysts can gain valuable insights and expedite the investigation process.

To access an Entity Graph, select Entity Graph from the top right of an investigation:

Open Entity Graph

Features ⫘

With the help of Entity Graph, you can:

• Visualize how entities that are part of the investigation are connected. The visual graph displays entity relationships, allowing you to easily see connections across different data sources. This provides a holistic view of how entities are involved in an attack.
• Select an entity node to gain additional insights about the entity, such as its properties, related alerts, related entities, and threat intelligence, if available.
• Select an edge to understand the alerts and events that are part of that relationship.

Explore Entity Graph ⫘

Entity Graph is divided into two main sections, the interactive graph on the left panel and the tabs on the right.

Entity Graph ⫘

The interactive graph presents the entities associated with the investigation as nodes connected by edges, directional lines representing the relationship or activity between the entities.

Entity Graph Overview

Use the following controls to adjust the graph:

• Adjust Layout — Select and drag a node to adjust the graph layout.
• Move Graph — Select and drag outside a node to move the graph.
• Zoom — Select the zoom buttons at the left of the graph or scroll within the graph to zoom in or out.
• Fit — Select the fit to page button at the left of the graph to reset the view to fit the window.
• Download — Select the download button to save the graph to a PNG file.

Entities Tab ⫘

The Entities tab on the right panel displays a table of all entities associated with the investigation. Use the checkboxes at the left of the rows to select one or more entities to highlight the entities and relationships in the graph. As you select nodes from the graph on the left, the table updates to select those entities.

Entities Tab

Select an entity name to open the entity details in the Details tab.

To customize the Entities table:

• Select the menu icon next to a column header to pin, autosize, and reset columns.
• Choose the filter icon when available and enter text or use the checkboxes to filter the content of that column.
• Choose the column icon to choose which columns you want to appear in the table.

Relationships Tab ⫘

The Relationships tab on the right panel displays a table of all entity relationships associated with the investigation. Use the checkboxes at the left of the rows to select one or more relationships to highlight in the graph. As you select edges from the graph on the left, the table updates to select those relationships.

Relationships Tab

Select the relationship type from a row to open the relationship details in the Details tab, or a source or target entity to open the entity details in the Details tab.

To customize the Relationships table:

• Select the menu icon next to a column header to pin, autosize, and reset columns.
• Choose the filter icon when available and enter text or use the checkboxes to filter the content of that column.
• Choose the column icon to choose which columns you want to appear in the table.

Alerts Tab ⫘

The Alerts tab on the right panel displays a table all alerts associated with the investigation. Use the checkboxes at the left of the rows to select one or more alerts to highlight the entities that belong in those alerts. As you select entities from the graph on the left, the table updates to select the related alerts.

Alerts Tab

Select an alert title to open a summary of the alert in the Details tab with the option to open the full alert in a new tab.

To customize the Alerts table:

• Select the menu icon next to a column header to pin, autosize, and reset columns.
• Choose the column icon to choose which columns you want to appear in the table.

View Entity Details ⫘

Select an entity node from the graph or entity name from the table to open the entity details in the Details tab to gain additional insights.

The entity details contain basic properties of the entity and threat intelligence, if available for that entity.

Entity Details

Take Response Actions on Entities ⫘

If relevant automations have been configured in your tenant, you can perform response actions on an entity. Select the vertical ellipses from either the Actions column of the Entities tab table or from the entity details.

Take Response Action from Entities Table

Take Response Action from Entity Details

Entity Relationships ⫘

The edge, or line connecting two entities, represents the relationship or activity between those two entities. Edges may be colored to represent the outcome of the activity when applicable:

• Red represents that the activity failed, such as a failed login.
• Green represents that the activity succeeded, such as a successful login.

Entity Relationships

When an edge label is prepended with a number, the activity was attempted that number of times. For example, in the preceding image, the highlighted host successfully executed a powershell.exe process three times, and executed a process as the user adrcobb once.

View Relationship Details ⫘

Select an edge from the graph or the relationship type from the Relationships tab table to open the relationship details in the Details tab to gain additional insights.

The relationship details contain a detailed summary of the relationship, including the status, source and target entities, and related alerts.

Relationship Details

Entity Types ⫘

The following are the types of entities available in the Entity Graph.

Entity	Description
AuthDomain	An authentication domain, often referred to as an auth domain, is a logical grouping of users and systems for the purpose of authentication and authorization. It helps manage access control.
Certificate	A certificate is a digital document used to verify the identity of entities in a network, typically in the context of secure communication. It can include information about the certificate holder and the certificate issuer.
CloudObject	A cloud object typically represents a specific item or file stored in a cloud environment. This could be a document, image, or any other digital object hosted in a cloud storage system.
CloudResource	A cloud resource refers to any digital asset or component hosted in a cloud environment. This can include virtual machines, storage buckets, databases, and other cloud-based services.
CloudUser	A cloud user is an entity with authorized access to cloud resources and services. This entity may include individuals, employees, or automated processes interacting with cloud-based systems.
DNSServer	A DNS (Domain Name System) server is a network server that translates domain names into IP addresses, enabling users to access websites and resources using human-readable names.
DomainName	A domain name is a human-readable label used to access resources on the internet. It often represents websites or online services and is linked to one or more IP addresses.
Email	An email represents an electronic message sent between users over a network. It includes sender and recipient information, message content, and metadata.
EmailAddress	An email address is a unique identifier used to send and receive emails. It typically consists of a username followed by the "@" symbol and a domain name.
File	A file refers to a digital document or data stored on a computer or server. It can be of various types, including text, images, audio, or executable files.
FileHash	A file hash is a cryptographic value generated from the content of a file. It is used to verify the integrity of files and detect changes or tampering.
Function	In the context of cybersecurity, a function typically refers to a software function or routine that performs a specific task or operation within a program or system.
Host	A host is a computer or device on a network that can send or receive data. In the context of cybersecurity, it refers to a system that is being monitored for security events and may include servers, workstations, routers, and other networked devices.
IP Address	An IP address is a numerical label assigned to each device connected to a computer network. It serves as an identifier for communication within the network.
Process	A process is a running instance of a program on a computer. It represents the execution of a set of instructions and can be monitored for behavior and security-related events.
RegistryKey	A registry key is a hierarchical structure used in Windows operating systems to store configuration settings and other system-related information.
ScheduledTask	A scheduled task is an automated job or process that is set to run at specific times or intervals on a computer or server.
Script	A script is a set of instructions written in a scripting or programming language. It can automate tasks, perform actions, or execute specific functions on a computer or within a software environment.
Service	A service refers to a software component or application that runs in the background and provides specific functionality or features to a computer or network. It can include services like web servers, database servers, and more
TaskAction	A task action represents a specific action or operation associated with a scheduled task, such as running a script or program.
User	A user is an individual or entity with authorized access to a computer system, network, or application. Users interact with these systems, and their activities are monitored for security and operational purposes.

Relationship Types ⫘

Relationship	Description	Examples
Auths	The Auths relationship stands for authentication. It suggests that one entity, often a user or process, authenticates another entity, such as a user or host.	Users can have an Auths relationship with Host entities, signifying that they can be authenticated to hosts. Users can have an Auths relationship with IpAddress entities, suggesting that they can authenticate from IP addresses. Processes can have an Auths relationship with User entities, indicating that they can create authenticate requests for users.
Connects	The Connects relationship indicates that one entity establishes a connection with another entity. This connection typically involves communication or data exchange between the entities.	Host entities can have a Connects relationship with an IP or other entities, indicating that they establish connections or communications with them. Processes can have a Connects relationship with an IP or other entities, indicating their capacity to initiate connections or communication.
ConnectsWith	The ConnectsWith relationship represents a Connection relationship in conjunction with a specific entity.	Processes can have a ConnectsWith relationship with IP addresses, indicating that they establish connections or communication with specific IP addresses. Hosts can have a ConnectsWith relationship with IP addresses, signifying their ability to establish connections or communications with particular IP addresses.
Executes	The Executes relationship indicates that one entity initiates and runs processes. It highlights the ability of an entity, such as a user or host, to execute and manage processes.	Hosts can have an Executes relationship with Process entities. This relationship indicates that the host is capable of executing or running processes. Users can have an Executes relationship with Process entities. This relationship signifies that users can execute or run processes.
ExecutesAs	The ExecutesAs relationship signifies that one entity, typically a host, executes processes while assuming the identity or permissions of another entity, often a user. This relationship reflects the execution context of processes on a system.	Hosts can have an ExecutesAs relationship with User entities. This relationship indicates that the host executes processes or actions on behalf of a specific user.
ExecutesCloudEvent	The ExecutesCloudEvent relationship indicates that a cloud user entity initiates and performs cloud-related events or actions on cloud objects or resources.	Cloud users, such as individuals or service accounts, can execute cloud events. These events could involve actions like creating or modifying cloud resources, triggering automated workflows, or accessing data stored in the cloud. Cloud objects, which are typically resources or components hosted in a cloud environment–such as virtual machines, databases, and storage buckets–can be the target of cloud events executed by cloud users. These events may include actions like starting or stopping a virtual machine, creating a database table, or uploading data to a storage bucket.
ExecutesCloudEventAs	The ExecutesCloudEventAs relationship suggests that an IP address entity executes cloud-related events while assuming the identity or context of a cloud user. It reflects actions in cloud environments.	IP addresses often execute cloud-related events or actions within a cloud environment on behalf of cloud users or other entities. Cloud users may delegate specific tasks or actions to IP addresses, which then execute those tasks as representatives of the users.
Has	The Has relationship denotes ownership or possession. When used in context with files or resources, it implies that one entity possesses or is associated with another entity.	File: Files can have a Has relationship with FileHash entities. This relationship indicates that files have associated file hashes. Host: Hosts can have a Has relationship with various entities, including File (indicating that hosts have files), User (indicating that hosts have users), and IpAddress (indicating that hosts have IP addresses). Process: Processes can have a Has relationship with File entities. This relationship implies that processes may have associated files.
HasParent	The HasParent relationship represents a hierarchical or parent-child relationship between processes. It indicates that one process is a child or sub-process of another, typically showing process dependencies.	A process can have a parent process, indicating that it was spawned or initiated by another process. This relationship helps establish the lineage of processes.
HTTPRequests	The HTTPRequests relationship represents HTTP interactions between entities, typically users, hosts, or processes, where one entity initiates and sends HTTP requests to another entity over a network.	Users may send HTTP requests to access websites, web applications, or online services. They can have HTTPRequests relationships with IP addresses, domain names, or other entities related to web communication. Hosts, such as servers or computers, can have HTTPRequests relationships when they serve web content or interact with web services. These relationships can be established with IP addresses, domain names, or other hosts.
HTTPRequestsWith	The HTTPRequestsWith relationship represents the connections and interactions between entities, often users or hosts, and a particular entity that involves sending HTTP requests in conjunction with specific IP addresses.	Users may have HTTPRequestsWith relationships with specific IP addresses or domain names, indicating that they have communicated with these entities over HTTP. Hosts, such as servers or computers, can have HTTPRequestsWith relationships with particular IP addresses or domain names, denoting that they have exchanged HTTP requests with these entities.
InjectsThread	The InjectsThread relationship represents an action where one entity, typically a process, injects or creates a new thread within another entity, often for the purpose of hijacking execution.	A Process entity InjectsThread into another process, indicating that the first process initiates the creation of one or more threads within the second process.
Links	The Links relationship signifies a connection between two entities, where one entity points to or references another entity, often providing additional context or information about it.	A File entity Links to another File, indicating that the first file contains a reference or hyperlink to the second file.
Manages	The Manages relationship signifies that one entity has control, oversight, or responsibility for another entity within a given context or domain.	A User entity manages one or more other User entities, indicating that the managing user has administrative or supervisory control over the managed users.
Modifies	The Modifies relationship represents an action where one entity makes changes or modifications to another entity.	A Process entity modifying a RegistryKey entity may signify that the process is making changes to a registry key.
ModifiesFile	The ModifiesFile relationship suggests that a process changes or modifies a file. It signifies the action of altering the content or attributes of a file.	Process entities can modify files, indicating that they are making changes to files.
Persists	The Persists relationship indicates that one entity continues to exist associated with another entity over time, typically in a storage or persistence context.	A File entity persists within a Host, indicating that the file remains stored on the host‘s file system. A RegistryKey entity persists within a Host, indicating that the registry key is stored in the host‘s registry.
ProvidesDNS	The ProvidesDNS relationship signifies that a DNS server entity offers DNS resolution services for domain names. It reflects the role of a DNS server in providing DNS-related information.	DNSServer entities can have a ProvidesDNS relationship, indicating that they serve as DNS servers, providing DNS resolution services to resolve domain names to IP addresses.
Publishes	The Publishes relationship implies that an entity, such as an IP address or email address, shares or disseminates specific content or information. It reflects the action of making content available to others.	EmailAddress entities can publish emails, indicating that they are associated with sending or transmitting emails. IP Address entities can publish emails, suggesting that they are associated with sending or transmitting emails.
QueriesDNSWith	The QueriesDNSWith relationship indicates that a process or host queries a Domain Name System (DNS) server using a specific IP address. It represents the action of seeking DNS information using a particular address.	Process entities can have a QueriesDNSWith relationship with IpAddress entities, indicating that these processes query DNS with specific IP addresses. Hosts can have a QueriesDNSWith relationship with IpAddress entities, signifying that these hosts query DNS with specific IP addresses.
QueriesDNS	The QueriesDNS relationship signifies that an entity, usually a process or host, queries a DNS server or domain name for DNS-related information. It reflects the action of looking up DNS records.	IP Address entities can have a QueriesDNS relationship, indicating that they are involved in querying DNS for domain names. Process entities can have a QueriesDNS relationship, signifying that they are querying DNS for domain names.
Resolves	The Resolves relationship indicates that a domain name entity is resolved to an IP address. It highlights the translation of a human-readable domain name into a numerical IP address.	DomainName entities can have a Resolves relationship, indicating that they are involved in DNS resolution, typically resolving to IP addresses or other domain names.