Visualizing incidents

When you select an Incident, the Incident Visualization section is displayed in the Incident details section. The Incident Visualization is a graphic representation of the relationships between the entities and files (referred to as "nodes") involved in an incident is displayed:
The graph has the following features:
  • Nodes that are colored red indicate at-risk or compromised entities. In the screen shot,
    certutil.exe
    is flagged to indicate that it should be investigated.
  • The transparency of the connectors represents the timing of occurrences; entities on the solid end have occurred more recently than those on the transparent end.
  • Blue connectors identify the connections directly associated with high-risk nodes.
  • Long node labels are shortened until you hover over them.
  • Right-click on a node to perform actions, such as quarantinging files, showing entity details, or isolating an endpoint.
  • You can search the graph for specific entities and files. Enter the name of the entity or file in the
    Search Graph
    field. If the entity or file is found in the graph, that entity and its connected neighbors are highlighted:
Adjusting the graph view
In some cases, the graph may have enough nodes and connections that it's hard to see them all clearly. You can adjust the view to make it easier to see the nodes and their connections.
Zoom and centering
: Controls are provided for centering the graph, and zooming in and out:
Moving nodes
: You can move nodes in the graph either individually, or as a group that includes the selected object and its nearest neighbors.
  • Move single node
    - Left-click and hold on the node to drag it around the graph.
  • Move selected node and neighbors
    - Right-click the node and click
    Move With Neighbors
    , then left-click, hold and drag the object along with its neighbors.
    Clicking another object resets the move behavior to single-object move.
More information