Investigation Graph
The Investigation Graph provides an interactive visualization of entity relationships discovered across your security events. It helps analysts understand the connections between hosts, users, IPs, processes, and domains involved in an attack.
Graph Visualization
The graph uses Cytoscape.js with the fcose (force-directed compound spring embedder) layout for automatic node positioning. Entities are displayed as nodes with SVG icons, and relationships are shown as directed edges.
Entity Types
| Entity | Icon | Description |
|---|---|---|
| Host | Server | Endpoints, servers, and workstations |
| User | User | User accounts and identities |
| IP Address | Globe | External and internal IP addresses |
| Process | CPU | Running processes and executables |
| Command | Terminal | Command-line executions |
| Threat | Shield | Threat indicators and IOCs |
Entity Extraction
Entities are automatically extracted from:
- Alert metadata (source IP, destination IP, hostname, username)
extraFieldsJSON in alert records (parsed for IPs, hostnames, users)- Incident linked alerts and evidence
Interactions
- Click a node to see entity details in the side panel
- Hover to highlight connected nodes and edges
- Zoom/pan to navigate large graphs
- Filter by entity type to focus investigation
Data Sources
The graph builds from two API endpoints:
/api/v1/investigation-graph/entities— Entity nodes and relationships/api/v1/alerts— Alert data for entity extraction enrichment
Access Requirements
The Investigation Graph requires the Respond (MDR) tier or above.