Explore Entities and Alerts (Investigation)
You can view the alerts and entities of a case in this Explore/Investigation screen in the form of a visual family in the center of the screen.
The advantage of this visual family is that you can get a keener sense of who or what did x, who is affected by it and in what order it happened. Think of the Explore screen like a detective’s cork board where the detective pins up suspects and events and draws lines between the suspects and events to make the connections. Within the visual family there are two Relationship Types – one is an action which is denoted by an arrow and the other is a connection which is denoted by a dotted line.
Drill down to a Case and click on the top-right corner of the Cases page. The Explore page displays the following details:
- Left pane: Alerts of the selected case and their occurrence time.
- Middle pane: Entities interconnected and arranged with a layout, video control buttons to play the events and a graphical representation of the alerts.
- Side Drawer: Provides details of the selected alerts or entities, including Raw Enrichment if exists. Each time you select an alert or an event, the side drawer will display the relevant information.
At the bottom of the side drawer for users of both Chronicle SIEM and Chronicle SOAR, an Explore button will display. Click on the button to be redirected to the relevant landing page in Chronicle SIEM where you can continue your investigation of this alert. For more information, see here. - Bottom of screen: Video control buttons to play the events – together with a visual time range (which can be manipulated further using plus/minus icons). Click play to go through the events in chronological order on the graph.
Click on an alert in the left pane to view its involved entities highlighted in the middle pane. The node indicating this alert appears bigger than the other nodes (alerts) on the graph. Hover over the nodes to see their respective alert names. Entities not involved in the selected alert are greyed out.
The following options are available on the screen:
Options | Descriptions |
---|---|
The Fit to Screen option at the top-left corner of the middle pane autofits the entire entity display to its actual size. | |
Circular layout is the default layout used by the entities. Clicking the Change Graph Layout icon gives you other layout options for displaying entities for your viewing convenience. | |
The Play Event button plays all alerts of the case in a sequence. The involved entities for each alert being played are highlighted at that instance. You can also see the alert flow in the graph where each node (alert) is highlighted bigger when being played. | |
The Next Event button enables you to play the next single alert (per click), one after the other as per the sequence in the left pane. By default, the first click plays the first alert in the left pane. | |
The Previous Event button enables you to play the previous alert. By default, this button is disabled (until the first alert is played). | |
The Fast Forward and Fast Backwards buttons enable you to play all alerts of a case 3 times faster in ascending order or descending order of their occurrence time respectively. | |
The Time Range Slider enables you to expand or shrink the time range on the X-axis respectively. | |
This displays an entity legend. |
Once you have investigated the visual aspects of the Case, you can then execute manual actions in order to investigate further. For example, you can run a manual action to Scan IP addresses to see if any of the IP addresses are known threats. Once you have established there was a specific issue – for example – important company information has been leaked, you can then take action.
Examples of actions you might take once a threat has been established might be to:
- Quarantine computers
- Check and scan infected computers
- Investigate emails
- Discover missing information
For complete information on mapping and modeling families that appear here, refer to Ontology.