Explore entities and alerts (Investigation)

You can view the alerts and entities of a case in the Explore page in the form of a visual family in the center of the page.

This visual family provides insight into the cause and effect relationship between the entities and alerts and shows the order in which events occurred. The Explore page helps you find the connections between suspicious events.

The visual family is made up of entities, displayed as hexagons, and artifacts, displayed as circles. Entities are displayed in blue; artifacts are displayed in green. Entities and artifacts marked as suspicious are displayed in red.

An entity may be outlined in a color and not filled with a color. Color-filled entities are internal. Colored-outline entities are external.

For example, an IP address of a network that had been added to an environment would be recognized as an internal entity and is filled in.

The different types of entities and artifacts can be found in the Entity Legend. To access the Entity Legend, click help in the top right corner of the middle pane.

Entities and artifacts may be connected by lines that indicate their relationship. Within the visual family, there are two relationship types: actions and connections. Actions are displayed as arrows, and connections are displayed as dotted lines.

For example, one user sending an email to another user would be displayed as an arrow; a dotted line would indicate that the entities are related, such as a user and a machine hostname.

Entities and artifacts are derived from the mapping rules. The visual families define the relationship types (the lines). If the visual families are not configured, entities and artifacts are still displayed in the middle pane, but without lines connecting them to other entities or artifacts. Both the mapping rules and the visual families can be viewed and edited from the Event Configuration page.

The Event Configuration page appears when you click settings in one of the following places in the Chronicle SOAR platform:

For more information about mapping and visual families, see Configure Mapping and Assign Visual Families.

Drill down to a case and select the Explore button in the top right corner of the Cases page. The Explore page displays the following details:

  • Left pane: Alerts of the selected case and their occurrence time.
  • Middle pane: Entities interconnected and arranged with a layout, video control buttons to play the events and a graphical representation of the alerts.
  • Side Drawer: Provides details of the selected alerts or entities, including Raw Enrichment if exists. Each time you select an alert or an event, the side drawer displays the relevant information.
    At the bottom of the side drawer for Chronicle SecOps users, an Explore button is displayed. Click Explore to be redirected to the relevant landing page where you can continue your investigation of this alert. For more information, see Investigation views
  • Bottom of page: Video control buttons to play the events – together with a visual time range (which can be manipulated further using plus and minus icons). Click play to go through the events in chronological order on the graph.

Click an alert in the left pane to view its involved entities highlighted in the middle pane. The node indicating this alert appears bigger than the other nodes (alerts) on the graph. Hold the pointer over over the nodes to see their respective alert names. Entities not involved in the selected alert are greyed out. 

The following options are available on the page:

Options Descriptions
The Fit to Screen option at the top-left corner of the middle pane autofits the entire entity display to its actual size.
Circular layout is the default layout used by the entities. Clicking the Change Graph Layout icon gives you other layout options for displaying entities for your viewing convenience.
The Play Event button plays all alerts of the case in a sequence. The involved entities for each alert being played are highlighted at that instance. You can also see the alert flow in the graph where each node (alert) is highlighted bigger when being played.
The Next Event button lets you play the next single alert (per click), one after the other as per the sequence in the left pane. By default, the first click plays the first alert in the left pane.
The Previous Event button lets you play the previous alert. By default, this button is disabled (until the first alert is played).
The Fast Forward and Fast Backwards buttons enable you to play all alerts of a case 3 times faster in ascending order or descending order of their occurrence time respectively.
The Time Range Slider lets you expand or shrink the time range on the X-axis respectively.
This opens an entity legend.

Once you have investigated the visual aspects of the case, you can then execute manual actions in order to investigate further. For example, you can run a manual action to Scan IP addresses to see if any of the IP addresses are known threats. Once you have established there was a specific issue – for example – important company information has been leaked, you can then take action.

Examples of actions you might take once a threat has been established might be to:

  • Quarantine computers
  • Check and scan infected computers
  • Investigate emails
  • Discover missing information