Explore entities and alerts (investigation)

Supported in:

You can view the alerts and entities of a case in the Explore page in the form of a visual family in the center of the page.

This visual family provides insight into the cause-and-effect relationship between the entities and alerts, and shows the order in which events occurred. The Explore page helps you find the connections between suspicious events.

The visual family is made up of entities, displayed as hexagons, and artifacts, displayed as circles. Entities are displayed in blue; artifacts are displayed in green. Entities and artifacts marked as suspicious are displayed in red.

An entity may be outlined in a color and not filled with a color. Color-filled entities are internal. Colored-outline entities are external. For example, an IP address of a network that had been added to an environment would be recognized as an internal entity and is filled in.

The different types of entities and artifacts can be found in the Entity Legend. To access the Entity Legend, click help Help in the top right corner of the middle pane.

Entities and artifacts may be connected by lines that indicate their relationship. Within the visual family, there are two relationship types: actions and connections. Actions are displayed as arrows, and connections are displayed as dotted lines.

For example, one user sending an email to another user would be displayed as an arrow; a dotted line would indicate that the entities are related, such as a user and a machine hostname.

Entities and artifacts are derived from the mapping rules. The visual families define the relationship types (connected by lines). If the visual families aren't configured, entities and artifacts are still displayed in the middle pane, but without lines connecting them to other entities or artifacts. You can view and edit both the mapping rules and the visual families from the Event Configuration page.

The Event Configuration page appears when you click settings Settings in one of the following places in the Google SecOps platform:

For more information about how to configure mapping and assign visual families, see Configure Mapping and Assign Visual Families.

Navigate the Explore page

Drill down to a case and select Explore in the top right corner of the Cases page. The Explore page displays the following details:

  • Left pane: displays the alerts associated with the selected case and their corresponding timestamps.
  • Middle pane: entities interconnected and arranged with a layout, video control buttons to play the events, and a graphical representation of the alerts.
  • Side Drawer: provides details of the selected alerts or entities, including Raw Enrichment if it exists. When you select an alert or an event, the side drawer displays the relevant information.
    At the bottom of the side drawer for Google SecOps users, an Explore button is displayed. Click Explore to be redirected to the relevant landing page where you can continue your investigation of this alert. For more information, see Investigation views
  • Bottom of page: video control buttons to play the events, together with a visual time range (which can be manipulated further using add Add and remove Remove). Click play_arrow Play Event to go through the events in chronological order on the graph.

Click an alert in the left pane to view its involved entities highlighted in the middle pane. The node indicating this alert appears bigger than the other nodes (alerts) on the graph. Hold the pointer over the nodes to see their respective alert names. Entities not involved in the selected alert appear as unavailable. 

The following options are available on the page:

Options Descriptions
exploreentities1 Fit to Screen: autofits the entire entity display to its actual size.
exploreentities2 Circular layout: this is the default layout used by the entities. Click Change Graph Layout to show other layout display options.
exploreentities3 Play Event: plays all alerts of the case in a sequence. The involved entities for each alert being played are highlighted at that instance. The graph displays the alert flow, highlighting each played alert with a larger node.
exploreentities4 Next Event: plays the next single alert (per click), one after the other as per the sequence in the left pane. By default, the first click plays the first alert in the left pane.
exploreentities5 Previous Event: plays the previous alert. By default, this button is disabled until the first alert is played.
exploreentities6 Fast Forward and Fast Backward: plays all alerts in a case 3 times faster, in chronological (ascending) or reverse chronological (descending) order, respectively.
exploreentities7 Time Range Slider: expands or shrinks the time range on the X-axis.
exploreentities8 This opens an entity legend.
exploreentities9

After investigating the visual aspects of the case, you can then perform manual actions for further investigation. For example, you can run a manual action to scan IP addresses to see if any of the IP addresses are known threats. After establishing a specific issue (for example, a leak of important company information), you can then take action.

Examples of actions you might take once a threat has been established might be to:

  • Quarantine computers
  • Check and scan infected computers
  • Investigate emails
  • Discover missing information

Need more help? Get answers from Community members and Google SecOps professionals.