The investigation graph helps you analyze events, alerts, and incidents to identify potential threats. You can also use the investigation graph to create visual reports.
The graph displays the details for an incident: the corresponding alerts and their common properties.
To open the investigation graph, open an incident details window, and then click the View on graph button.
You can click and drag graph nodes to rearrange them. Click a graph node to bring up the context menu.
You can use the toolbar at the top to add alerts and observables.
If you attempt to add an alert for a different tenant, the alert will not be shown on the investigation graph.
You can also add observables by clicking an alert or event. In the context menu that opens, select Observables, and then click the observable to add it to the investigation graph. To remove an observable from the investigation graph, click the observable to open the context menu, and then click Hide.
The blue color indication for an event indicates that you can generate a process tree for this event. To do this, click the event and select Process tree in the context menu.
You can use the pan and zoom panel on the bottom right to navigate a complex graph.
Grouping graph elements
The investigation graph automatically groups alerts with common properties.
To ungroup an alert, do the following:
A table shows up that lists the alerts.
To group back the ungrouped alerts, click the Hide on graph button.
Linking graph elements
The investigation graph automatically creates links for new items when applicable. Links can be added manually.
To manually add a link, do the following:
Link points appear around graph nodes.
Manually created links are indicated with purple.
Page top