G DATA 365 | MXDR

The alert graph

The alert graph helps you to better grasp alerts with a complex structure of involved processes. This is helpful if, for example, an incident needs to be assessed in detail.

Alert graph overview

You can view all processes in detail here with regard to

  • General process details,

  • File operations,

  • Operations in the Windows registry,

  • Network operations.

The alert graph is currently only available for systems with a Windows operating system.

Visualization of the processes of the alert

Course alert graph

This is essentially the alert graph and shows all the processes associated with the alert. In this visualized representation you can see which processes have triggered other processes and what has happened in selected processes.
Which process triggered other processes? What happened in which files on the system? Have changes been made in the Windows registry and if so, what has changed there in detail? Was there any external communication and where to?
All of these questions can be analyzed in detail.

The graph can contain a large number of individual processes and take up a correspondingly large amount of space. You can move the viewing point in the window with the left mouse button and zoom in and out of the graph with the mouse wheel. Alternatively, you can use the buttons next to the current zoom level (Zoom lelvel) for adjustments.
To the left of this is a button for restoring the viewing point (Reset Button) to the original location and magnification level.

A process with a warning sing represents the core of the detection of the alert in question. The processes can be selected individually and are then highlighted in blue. All detail information displayed below the graph refers to the selected, highlighted process. By default, the view of the message graph is centered onto the selected process. You can adjust this behavior by clicking on the gear icon (Settings).

The graph refers to the processes that belong to one alert, not to the processes of all alerts that belong to an incident!

Detail information about the processes

The detail information about the processes are broken down into the categories Process Details, File Operations, Registry Operations und Network Operations. Non-suspicious operations provide contextual information about the processes, suspicious operations have direct ties to the detection. With the “Show only suspicious operations” button, only suspicious entries are displayed in the File Operations and Registry Operations tabs.

The entries within the categories can be sorted alphanumerically in ascending or descending order by left-clicking on the column name.

Some information may be shortened for reasons of readability. However, you can always use mouse-over to view the full information and copy it from there if required.

Mouseover tooltip

Process Details

General information about the process is listed here, such as the location of the file in the system, the exact invocation including all arguments, the size of the file, the start time of the process and whether it was executed with admin permissions.

Process details

The "Suspicious?" field indicates whether the entire process has been classified as suspicious by the agent.

File Operations

All file operations associated with the respective process are shown here. The information listed is File path, time and type of operation.

File operations

File Path

Path of the file on the system to which the operation refers.

Operation

Exact type of file operation. The options are:

  • "File closed"

  • "File created"

  • "File deleted"

  • "File executed"

  • "File opened"

  • "File read"

  • "File renamed"

  • "File information changed"

  • "File written"

Timestamp

Exact time at which the operation was started.

Suspicious?

Indicates whether it is an operation that played a role in the detection.

Registry Operations

Information about changes in the Windows Registry that were initiated by the process. This is all information relating to the key itself, as well as the time and type of operation.

Registry operations

Key Path

Path within the Windows registry of the key to which the operation refers.

Name

Name of the value within the key in the registry to which the operation refers.

Value

Value after the operation, if available.

Operation

Type of operation. The options are:

  • "Key created"

  • "Key deleted"

  • "Value deleted"

  • "Key opened"

  • "Value set"

Timestamp

Exact time of the operation.

Suspicious?

Indicates whether it is an operation that played a role in the detection.

Network Operations

If available, all operations within the network that were triggered by the process are listed here. These are the time and type of operation, as well as all relevant connection details.

Network operations

IP-Address

For the "Connection established" operation, the IP address to which the connection was established. If the operation was "Opened for incoming connections", your own IP address is displayed here.

Port

Port used for the connection.

Protocol

Protocol used for the connection. Options are TCP or UDP.

Operation

Type of network operations. The options are:

  • "Connection established"

  • "Opened for incoming connections"

Timestamp

Exact time of the network operations.