About Attack Graphs

Applies To: WatchGuard EPDR, WatchGuard EDR

If the Indicator of Attack (IOA) has a graph associated with it on the attack details page, click View Attack Graph to see an interactive diagram of the sequence of events that led to the generation of the IOA. You can use the graph to help identify the root cause of the attack.

Screen shot of Attack Graph

By default, the graph is displayed horizontally with the node that triggered the IOA at the center of the graph. It is surrounded by a subset of nodes related to the IOA. The graph displays three node levels above the main node, as well as one node level below the main node.

Nodes represent entities that participate in an operation (such as processes, files, or communication or operation targets). Arrows represent operations. To modify the graph to your needs, use the toolbar options and select specific nodes. You can use the timeline below the graph to increase or reduce the displayed time period when the events occurred.

The information pane on the right shows event information for the selected node or arrow. For more information, see Indicators of Attack Events.

Toolbar

The toolbar enables you to change the appearance of the graph. These buttons are available in the toolbar:

Button Name Description
Undo Undo the last action performed on the graph
Redo Redo last action performed on the graph
Zoom in Zoom in the graph
Zoom out Zoom out from the graph
Reset zoom Return to the default zoom setting
Horizontal graph Change the graph orientation to horizontal
Vertical graph Change the graph orientation to vertical
Show / Hide Layers Show or hide information layers in the graph

To show or hide layers in an attack graph:

  1. In the toolbar, click .
  2. From the menu that opens, select the elements of the graph you want to show or hide:
    • Execution Sequence — Hides or shows numbers on the events to determine the order in which events occurred.
    • Name of Relationships — Hides or shows the names of the events. For more information, see Indicators of Attack Events.
    • Name of Entities — Hides or shows the names of entities (such as processes, files, or communication or operation targets).

Graph Nodes and Arrows

The graph illustrates a set of events with nodes and arrows to show entities and the relationship between them. The node that triggered the IOA is at the center of the graph, surrounded by a subset of nodes related to the IOA. The graph displays three levels of nodes above the main node, as well as nodes one level below the main node.

Nodes represent the entities that participate in an operation (processes, files, or communication or operation targets) and arrows represent operations. The numbers on the arrow indicate the order in which the events were recorded. When you select a node, the information pane displays details of the events that occurred. For more information, see Indicators of Attack Events.

  • To select a single node on the graph, click the node.
  • To select multiple non-contiguous nodes on the graph, press and hold the Ctrl or Shift key and click the nodes you want to select.
  • To select multiple contiguous nodes on the graph, press and hold the Ctrl or Shift key, and click an empty area of the graph. Drag the mouse to draw a selection box that covers all the nodes you want to select.
    When you select and right-click several nodes on the graph, the options that apply to all selected nodes show in the shortcut menu.

Node and Status Icons

The color of a node indicates whether the item is classified as malware (red), suspicious or unclassified (orange), or goodware (green). These node icons are used to represent different entities in an operation.

Icon Description
Process If it belongs to a known
software package, the icon is shown.
Remote thread
Library
Protection
Folder
Non-executable file
Compressed file
Executable file
Script file
Windows registry branch value
URL used in a communication
IP address in a communication

Status icons indicate the action taken on the node.

Icon Action
File deleted
File disinfected
File quarantined
Process deleted

Show Child Nodes

The graph can show up to a maximum of 25 nodes at the same level. When there are more than 25 nodes, the graph shows no nodes. An icon in the bottom left corner of a node indicates that the node has hidden child nodes.

To show child nodes:

  1. Right-click a node.
    A shortcut menu opens.
  2. Select one of the available options:
    • Show Parent — Shows the parent nodes of the selected node.
    • Show All Activity (number) — Shows all the child nodes of the node regardless of the type. The maximum number of nodes shown is 25. The total number of events that link the parent node with the child node shows.
    • Show Children — Opens a drop-down list. Select the type of child nodes to show and select the number of nodes for each type. The types of nodes include:
      • Data files (files with unidentified information)
      • Script files (files with command sequences)
      • DNS (domains that failed to resolve the IP)
      • Windows registry entries
      • Compressed files
      • PE files (executable files)
      • Remote threads
      • IPs (IP addresses for either end of the communication)
      • Libraries
      • Processes
      • Protection (action taken by the antivirus)

Move and Delete Nodes

Move and delete nodes to focus the graph on the information you want to see.

To move a single node, select the node and drag it to a new location.
All lines that connect the node with its neighbors move and adjust themselves to the new location of the node.

To move the graph to see other nodes:

  1. Click an empty area of the graph.
  2. Drag the graph in the appropriate direction.

To delete a single node:

  1. Right-click the node you want to delete.
    The context menu opens.
  2. Select Delete (x).
    A dialog box opens and shows the total number of nodes that will be deleted from the graph. This includes the selected node and its child nodes.
  3. Click OK.

To delete multiple nodes:

  1. Press and hold the Ctrl key.
  2. Click the nodes you want to delete.
  3. Right-click one of the nodes.
    The shortcut menu opens.
  4. Select Delete (x).
    A dialog box opens and shows the total number of nodes that will be deleted from the graph. This includes the selected nodes and their child nodes.
  5. Click OK.

Arrows

The color of the arrows indicates whether WatchGuard EPDR or WatchGuard EDR blocked or allowed the action.

  • Red — The action was classified as a threat and blocked.
  • Black — The action was allowed.

The thickness of the arrow represents the number of times the same type of action was executed between two nodes. The greater the number of actions, the thicker the arrow.

When you click an arrow, the information panel shows the dates when the first and last actions in the group occurred. The direction of the arrow indicates the direction of the action.

The numbers on the arrows indicate the order in which the event was recorded. When you click the label of an arrow, the information pane displays the events that occurred. For more information, see Indicators of Attack Events.

Timeline

The timeline is located below the graph. It includes a histogram with green bars that represent the events carried out by a threat. Point to the bars to show a tooltip of the number of events and the date they were logged.

Timeline Controls

You can blur the nodes and relationships that occurred outside a selected time range. The controls at the bottom of the timeline enable you to position the view at the precise moment when the threat carried out an action and retrieve extended information that can help you complete a forensic analysis.

  • To select a specific interval on the timeline, drag the gray interval selectors to the left or right. The graph shows the events and nodes that occurred within the interval. Other events and nodes are blurred.
  • To see the full path of the timeline, select First Node, and then click Start.
  • To set the travel speed, click 1x and select a speed option.

These controls are available below the timeline.

  • Start — Starts the timeline at a constant speed of 1x. The graphs and lines representing the actions appear while display as the timeline progresses.
  • 1x — Sets the speed of the timeline.
  • Stop — Stops the progress of the timeline.
  • + and - — Zooms in and zooms out of the timeline.
  • < and > — Select the previous or subsequent node.
  • Initial zoom — Restores the initial zoom level if you zoomed in or out with the + and – buttons.
  • Select all nodes — Moves the time selectors to cover the whole timeline.
  • First node — Sets the time interval to the start of the timeline.

See Also

Indicator of Attack Details