Investigation graph

The investigation graph is a visual analysis tool that shows relationships between the following objects:

• Events
• Alerts
• Users
• Observables
• Assets (devices)
• Segmentation rules

The graph displays the details for an incident: the corresponding alerts and their common properties.

To open the investigation graph:

1. In the main menu, go to Monitoring & reporting → Incidents.
2. In the incident table, click the ID of the required incident.

   The window with incident details is displayed.

3. Click the View on graph button.

The Write permission in the Alerts and incidents functional area is required to view the graph. Refer to the following topic for details: Predefined user roles.

You can use the pan and zoom panel on the bottom right to navigate a complex graph.

Also, you can undo any action on the investigation graph by clicking the undo icon (), and revert a previously undone action by clicking the redo icon (). The maximum number of actions that you can undo or redo is 10.

If you close the investigation graph while performing actions in it, your history of changes is cleared. This means that after you open the investigation graph again, you cannot undo and redo the actions that you performed before closing the graph.

When editing the investigation graph simultaneously with other users, you can view the changes made by the users, but you cannot undo and redo their actions.

Interacting with graph nodes

You can use the toolbar at the top to add alerts and observables.

You can click and drag graph nodes to rearrange them.

You can click a graph node to bring the context menu.

Common context menu items:

• View details

  Opens a details window for the selected node.

• Copy

  Copies the node value to clipboard.

• Hide

  Removes the selected node from the graph.

• Add comment/Edit comment

  Invokes a text field for a comment. Click Send to confirm changes. Click Cancel to revert changes.

Event-specific context menu items:

Process tree

Only available for specific event types. Generates a process tree for the event. The blue color indication for an event indicates that you can generate a process tree for this event.

Alert-specific context menu items:

• Change status

  Invokes a Change status panel that allows you to change the alert status.

• Events

  A sub-menu that allows you to add events as graph nodes.

• Observables

  A sub-menu that allows you to add common observables as graph nodes.

• Devices

  A sub-menu that allows you to add common devices as graph nodes.

  By using this sub-menu, you also can view the list of alerts or incidents related to the device. To do that, in the sub-menu, click View details to open the Device details window, and then click the Show related button and select either Alerts or Incidents.

• Users

  A sub-menu that allows you to add users as graph nodes.

Observable-specific context menu items:

• Find similar events

  Invokes a Threat Hunting panel that shows similar events.

• Find similar alerts

  Invokes an Alerts panel that shows similar alerts.

• Request status from Kaspersky TIP

  Allows you to obtain detailed information about the selected observable from Kaspersky Threat Intelligence Portal (Kaspersky TIP). Refer to the following topic for details: Integration with Kaspersky Threat Intelligence Portal.

• Enrich data from Kaspersky TIP

  Use this button to obtain detailed information about the selected observable from Kaspersky TIP. Refer to the following topic for details: Integration with Kaspersky Threat Intelligence Portal.

Segmentation rule-specific context menu items:

• View details in KUMA

  Opens the KUMA Console in a new browser tab that displays the rule details.

• Find similar alerts

  Invokes an Alerts panel that shows similar alerts.

You can also add observables by clicking an alert or event. To do this, in the context menu that opens, you need to select Observables, and then click the observable. The observable will be added to the investigation graph. You can remove an observable from the investigation graph, if needed. To do this, you have to click the observable, and then click Hide in the context menu that opens.

Grouping graph elements

The investigation graph automatically groups alerts with common properties.

To ungroup an alert:

1. Click a graph element corresponding to an alert group.

   A table shows up that lists the alerts.

2. Select an alert that you want to show on the graph.
3. Click the Show on graph button in the table toolbar.

   The alert is added as a graph node.

4. Click the Hide on graph button, if you want to hide an alert.

Linking graph elements

The investigation graph automatically creates links for new items when applicable. Links can be added manually.

To manually add a link:

1. Click the Link nodes button.

   Link points appear around graph nodes.

2. Click and drag from a link point of one node to a link point of another node.

Manually created links have a color indication.

To remove a manually created link:

1. Hover over a manually created link.

   A cross icon appears in the middle of the link.

2. Click the cross icon to delete the link.

Threat hunting

You can analyze events to search threats and vulnerabilities that have not been detected automatically. To do this, you need to click the Threat Hunting button in the toolbar at the top or invoke a graph node's context menu and click Events or Find similar events. The Threat Hunting panel opens. Refer to the following section for details: Threat Hunting.

Exporting the graph

You can save the graph in the SVG format. To do this, you need to click the Export button in the toolbar at the top.

Viewing and editing comments

You can leave comments for any graph node or link.

To add or edit a comment:

1. Click a graph element and select Add comment or Edit comment.
2. Click Send to save changes.

   The message () icon appears next to the graph element. You can click the message () icon to display the comment.

To display all comments,

Click the Comments button in the toolbar at the top. A panel with comments appears on the right. You can click a comment in the panel to highlight the corresponding message () icon on the graph.

To delete a comment,

Select a comment on the graph or in the panel with comments. Click the ellipsis () icon and select Delete.

Page top