Skip to content

Process Graph

Sometimes it's easier to visualization relationships as graphs. All of the process event data in Splunk can also be viewed as a process graph.

To get to a graph, click on the "Process Graph" button from any attack session page, or on specific events in the table. Alternatively, if you're in Splunk, you can click the "Jump to Process Graph" link for any process event.

You can quickly open a specific node by searching by process name, path, command line, MD5 hash, event row ID, or labeled attack. Since our attack session was about using WMI, we can search for the wmic process name. Since the attacks are also labeled, we could jump to a specific labeled attack node.

There are filters that you can use to gray out nodes and help you find what you're looking for. You can filter based on the start or end time, or our AI scoring around prevalence or maliciousness. We can use these to weed out frequently occurring or noisy events.

The sidebar provides details for the the active node. There are quick actions, like jumping to Splunk, sharing a link to this node, or labelling an attack. Details provides the most important fields - the same that you'd find in Splunk. Prevalence and maliciousness are very early state AI algorithms that measure how common or rare and event is, as well as how benign or malicious an event is based on several features. These algorithms will improve over time as more labeled data is added to the platform. If there are detections that match the node, we can also see those both on the node itself and in the sidebar.

Navigating the graph is straightforward. Starting with the root node on the left, we can see child processes as we move to the right. We can click and drag to move on the graph. We can zoom in or out with the mouse scroll wheel, or a pinching action if you have a trackpad. We can also use these buttons to quickly zoom to see the whole graph, or zoom in on a specific node. If a parent node has children, there will be a label with the number of child processes that can be clicked to expand them. You can click that again to collapse the child nodes back. Nodes with labeled attacks are colored red, and will have the red star icon. Likewise, nodes with detection hits will have a blue circle.