The investigation graph is a visual analysis tool that shows relationships between the following objects:
The graph displays the details for an incident: the corresponding alerts and their common properties.
To open the investigation graph:
The window with incident details is displayed.
The Write permission in the Alerts and incidents functional area is required to view the graph. Refer to the following topic for details: Predefined user roles.
You can use the pan and zoom panel on the bottom right to navigate a complex graph.
Interacting with graph nodes
You can use the toolbar at the top to add alerts and observables.
You can click and drag graph nodes to rearrange them.
You can click a graph node to bring the context menu.
Common context menu items:
Opens a details window for the selected node.
Copies the node value to clipboard.
Removes the selected node from the graph.
Event-specific context menu items:
Process tree
Only available for specific event types. Generates a process tree for the event. The blue color indication for an event indicates that you can generate a process tree for this event.
Alert-specific context menu items:
Invokes a Change status panel that allows you to change the alert status.
A sub-menu that allows you to add common observables as graph nodes.
A sub-menu that allows you to add common devices as graph nodes.
Observable-specific context menu items:
Invokes a Threat Hunting panel that shows similar events.
Invokes an Alerts panel that shows similar alerts.
Allows you to obtain detailed information about the selected observable from Kaspersky Threat Intelligence Portal (Kaspersky TIP). Refer to the following topic for details: Integration with Kaspersky Threat Intelligence Portal.
Use this button to obtain detailed information about the selected observable from Kaspersky TIP. Refer to the following topic for details: Integration with Kaspersky Threat Intelligence Portal.
Segmentation rule-specific context menu items:
Opens the KUMA Console in a new browser tab that displays the rule details.
Invokes an Alerts panel that shows similar alerts.
If you attempt to add an alert for a different tenant, the alert will not be shown on the investigation graph.
You can also add observables by clicking an alert or event. To do this, in the context menu that opens, you need to select Observables, and then click the observable. The observable will be added to the investigation graph. You can remove an observable from the investigation graph, if needed. To do this, you have to click the observable, and then click Hide in the context menu that opens.
Grouping graph elements
The investigation graph automatically groups alerts with common properties.
To ungroup an alert:
A table shows up that lists the alerts.
The alert is added as a graph node.
Linking graph elements
The investigation graph automatically creates links for new items when applicable. Links can be added manually.
To manually add a link:
Link points appear around graph nodes.
Manually created links have a color indication.
Threat hunting
You can analyze events to search threats and vulnerabilities that have not been detected automatically. To do this, you need to click the Threat Hunting button in the toolbar at the top or invoke a graph node's context menu and click Events or Find similar events. The Threat Hunting panel opens. Refer to the following section for details: Threat Hunting.
Exporting the graph
You can save the graph in the SVG format. To do this, you need to click the Export button in the toolbar at the top.
Page top