Incident Graph icons (EDR)
The table below lists the node icons available in the Incident Graph for EDR incidents.
A node can include multiple individual nodes of the same type. The icon displays a number that indicates how many nodes are grouped. For example, 
indicates that there are over 100 processes in the incident. If the number of grouped nodes is less than 100, the actual number is displayed.
Threat nodes use color coding to indicate confidence level: a red icon indicates a malicious detection, and an orange icon indicates a suspicious detection. Collapsed threat groups display a '+' icon; click to expand and view individual MITRE technique or rule nodes.
| Icon | Description |
|---|---|
|
Indicator of Compromise (IoC) indicating a generic or injected process. The icon is labeled with the process name, for example processname.exe. |
|
Indicator of Compromise (IoC) indicating a generic, document, executable, or script file. The icon is labeled with the filename, for example filename.dll. |
|
Indicator of Compromise (IoC) indicating a URL. The icon is labeled with the URL, for example abc.com. |
|
Indicator of Attack (IoA). The icon is labeled with the IoA name, for example Minikatz. |
|
Workload The icon is labeled with the workload name, for example DESKTOP-D123. |
|
Identity (user) The icon is labeled with the user account ID, for example david.smith@b.com. This node includes information acquired locally by the agent, which does not require a connection to the Microsoft API. |