Working with the Incident Graph (EDR)

The Incident Graph is a visual representation of an EDR incident. It shows the relationships between the workload, the processes involved in the attack, and the detections that were triggered. The Incident Graph is available to all EDR users.

Use the Incident Graph to:

  • Understand the structure of the attack chain at a glance.
  • Identify which processes, files, network connections, and registry entries were involved.
  • View threat detections and their associated MITRE tactics and techniques.
  • Navigate to individual nodes to examine details in the sidebar.

Some EDR response actions are currently available only from the Cyber Kill Chain and not from the Incident Graph. To apply EDR response actions such as quarantining a process or isolating a workload, use the Cyber Kill Chain. For more information, see How to investigate incidents in the cyber kill chain.

Accessing the Incident Graph

To access the Incident Graph

  1. In the Cyber Protect console, go to Protection > Incidents.
  2. Click in the rightmost column of the incident that you want to investigate.
  3. Go to the Incident Graph tab.

To refresh the graph, click the refresh icon.

Node types

The Incident Graph includes the following node types for EDR incidents:

  • Workload: The top-level node representing the affected device. All process trees originate from this node.
  • Process: Represents a running process involved in the attack. Processes are shown in a tree structure reflecting the execution chain, from the first process with a detection to the last.
  • File: Represents a file node associated with a process, typically the process image for non-system processes.
  • Network: Represents a network connection made by a process.
  • Registry: Represents a registry key or value accessed or modified by a process.
  • Threat: Represents a detection result associated with a process, file, network, or registry node. Threat nodes use color to indicate confidence: red for malicious detections, orange for suspicious detections.
  • Identity: Represents a user account observed during the incident, based on data collected locally by the EDR agent.

For information about node icons, see Incident Graph icons (EDR).

Threat node grouping

When multiple detections are associated with the same entity, threat nodes are grouped as follows:

  • If a single detection rule applies under one MITRE technique, the threat node is labeled with the rule's descriptive name.
  • If multiple rules apply under the same MITRE technique, one threat node is shown, labeled with the MITRE technique. Click the node to view a table listing all associated rules.
  • If detections span multiple MITRE techniques, a collapsed threat node is shown with a '+' icon. Click to expand and view individual technique-level or rule-level nodes.
  • Malicious and suspicious detections are displayed in separate groupings.

Incident Graph for multi-workload incidents

When an incident involves more than one workload, the Incident Graph displays a sub-graph for each workload. For more information, see Working with multi-workload incidents in the Incident Graph.

Incident Graph when XDR is enabled

When XDR integrations are active, the Incident Graph extends to include external nodes from those integrations, such as email, identity management, and firewall data. External nodes are identified by an integration source bubble displayed on the node icon. For more information, see Working with the Incident Graph (XDR).