Investigation graph
The investigation graph is a visual analysis tool that shows relationships between the following objects:
- Events
- Alerts
- Incidents
- Observables
- Assets (devices)
- Segmentation rules
The graph displays the details for an incident: the corresponding alerts and their common properties.
To open the investigation graph:
- In the main menu, go to MONITORING & REPORTING → Incidents.
- In the incident table, click the ID of the required incident.
The window with incident details is displayed.
- Click the View on graph button.
The Write permission in the Alerts and incidents functional area is required to view the graph. Refer to the following topic for details: Predefined user roles.
You can use the pan and zoom panel on the bottom right to navigate a complex graph.
Interacting with graph nodes
You can use the toolbar at the top to add alerts and observables.
You can click and drag graph nodes to rearrange them.
Click a graph node to bring the context menu.
Common context menu items:
- View details
Opens a details window for the selected node.
- Copy
Copies the node value to clipboard.
- Hide
Removes the selected node from the graph.
Event-specific context menu items:
Process tree
Only available for specific event types. Generates a process tree for the event. The blue color indication for an event indicates that you can generate a process tree for this event.
Alert-specific context menu items:
- Change status
Invokes a Change status panel that allows you to change the alert status.
- Observables
A sub-menu that allows you to add common observables as graph nodes.
- Devices
A sub-menu that allows you to add common devices as graph nodes.
Observable-specific context menu items:
- Find similar events
Invokes a Threat Hunting panel that shows similar events.
- Find similar alerts
Invokes an Alerts panel that shows similar alerts.
- Request status from Kaspersky TIP
Allows you to obtain detailed information about the selected observable from Kaspersky Threat Intelligence Portal (Kaspersky TIP). Refer to the following topic for details: Integration with Kaspersky Threat Intelligence Portal.
- Enrich data from Kaspersky TIP
Use this button to obtain detailed information about the selected observable from Kaspersky TIP. Refer to the following topic for details: Integration with Kaspersky Threat Intelligence Portal.
Segmentation rule-specific context menu items:
- View details in KUMA
Opens the KUMA console in a new browser tab that displays the rule details.
- Find similar alerts
Invokes an Alerts panel that shows similar alerts.
If you attempt to add an alert for a different tenant, the alert will not be shown on the investigation graph.
You can also add observables by clicking an alert or event. In the context menu that opens, select Observables, and then click the observable to add it to the investigation graph. To remove an observable from the investigation graph, click the observable to open the context menu, and then click Hide.
Grouping graph elements
The investigation graph automatically groups alerts with common properties.
To ungroup an alert:
- Click a graph element corresponding to an alert group.
A table shows up that lists the alerts.
- Select an alert that you want to show on the graph.
- Click the Show on graph button in the table toolbar.
The alert is added as a graph node.
To hide an alert, click the Hide on graph button.
Linking graph elements
The investigation graph automatically creates links for new items when applicable. Links can be added manually.
To manually add a link:
- Click the Link nodes button.
Link points appear around graph nodes.
- Click and drag from a link point of one node to a link point of another node.
Manually created links have a color indication.
Threat hunting
Click the Threat Hunting button in the toolbar at the top. Alternatively, invoke a graph node's context menu and click Events or Find similar events to open the Threat Hunting panel. Refer to the following section for details: Threat Hunting.
Exporting the graph
Click the Export button in the toolbar at the top to save the graph in the SVG format.