Incident Graph icons

The table below lists the various icons currently available in the Incident Graph.

A node can be grouped to include multiple individual nodes of the same type. The icon displays a number indicating how many nodes are grouped. For example, indicates that there are over 100 processes in the incident. If the number of nodes grouped is less than 100, the actual number is displayed.

When XDR integrations are active, some nodes display an integration source bubble — a small icon in the corner of the node that indicates which integration provided that data. This helps you quickly identify the origin of external nodes in the graph.

Threat nodes use color coding to indicate confidence level: a red icon indicates a malicious detection, and an orange icon indicates a suspicious detection. Collapsed threat groups display a '+' icon; click to expand and view individual MITRE technique or rule nodes.

Icon	Description
	Indicator of Compromise (IoC) indicating a generic or injected process. The icon is labeled with the process name, for example processname.exe.
	Indicator of Compromise (IoC) indicating a generic, document, executable, or script file. The icon is labeled with the filename, for example filename.dll.
	Indicator of Compromise (IoC) indicating a URL. The icon is labeled with the URL, for example abc.com.
	Indicator of Attack (IoA). The icon is labeled with the IoA name, for example Minikatz.
	Workload The icon is labeled with the workload name, for example DESKTOP-D123.
	Identity (user) The icon is labeled with the user account ID, for example david.smith@b.com. This node includes information acquired locally by the agent, which does not require a connection to the Microsoft API.
	Email icon indicating a generic Outlook email, attachment, or URL. The icon is labeled according to the relevant integration. When integrating with FortiMail Workspace Security (formerly Perception Point), the label shows the sender's email address, for example david.smith@b.com. When integrating with Microsoft 365, File found in Outlook is shown.
	OneDrive The icon is labeled with File found in OneDrive.
	SharePoint The icon is labeled with File found in SharePoint.
	Teams The icon is labeled with File found in Teams.
	Microsoft Entra ID The icon is labeled with the user account ID, for example david.smith@b.com. This node includes the UPN provided from Entra ID. Click the node to show the UPN in the AD Username field.