Incident Lineage

The Incident lineage page shows the parent child relationship between the processes of an incident recorded in your network.
The Incidents tab shows the following:
  • List of incidents
    By default the open incidents are displayed in the
  • Incident Visualization Graph
    When you click on the Incident ID, Description or any other column of the incident, the Incident Visualization panel slides in .
  • Lineage
    The process lineage tab is only visible if a lineage exists for the incident processes that you want to investigate.
  • Lineage Timeline
    The process lineage timeline is another way of representing the lineage data. The horizontal bars represent the processes of the lineage.
For the lineage feature to deliver accurate data, ensure that the
Process Launch Activity
and the
Process Terminate Activity
are selected when you configure the Endpoint Activity Recorder policy.
Viewing an Incident Lineage
The Lineage and Timeline graph both show the details of the system activities that the processes performed in an incident. For example, Module, Network, Registry, other processes, File, Directory, Network, Kernel.
tab only appears when the incident includes any process lineage, else the
tab remains hidden.
The lineage graph begins with the first instance and the process that triggered the lineage. The first process in the lineage begins with one parent process followed by its child processes. Every process is represented by a gear icon. When you hover over your mouse pointer on any of the gear icons, the name of the process and the Process ID (PID) is shown. To view the details of the events of the incident, right-click on the gear icon and select
. You are redirected to the
page which shows the events that are part of the incident.
An incident can have more than one lineage when more than one endpoints are impacted by the incident. To select a lineage, click on the lineage name in the drop-down menu near the parent node.
Rotating gear in the lineage graph represent that the system is collecting Endpoint Activity Recorder data. Symantec recommends that you wait till the data is processed completely.
Processes with similar names are grouped together. Click on the + sign to expand the child nodes and click on the – sign to collapse the child nodes.
When you click on a gear icon, the process details panel slides in. The process details panel shows the Process name, SHA2, Parent process, Child process details.
To close the details panel, click the X or click on the white space in the graph. In case of a group of processes, the details page, shows the first process in the group. To view the other processes in the group, click on the up or the down arrow.
Incident Lineage
Represents a Trigger Process which is related to an event listed in the Results grid.
If a process matches with an event that is a MITRE enriched event it appears as a sibling of the Process Trigger.
Takes a screenshot of the lineage graph.
Displays and hides the Process name on the Process gear icon.
Indicates a process injection.
The lineage graph also includes a search bar. You can search for the process by name. As soon as you type in the process name, the list of matching process names are displayed. Based on the search result the matching gear icon of the process is highlighted whereas the other nodes fade out.
Lineage Timeline
The lineage graph includes a timeline which is another representation of the lineage graph. The timeline graph changes based on the lineage graph view. When you hover over the mouse pointer on the horizontal bars the timeline, the process name is displayed. If you click on the horizontal bar, the lineage graph focuses on the process which is represented by the bar.
A vertical bar represents a group of the processes. To view how the processes have progressed over time, click on the
option to play the lineage graph from the beginning of the processes.