Skip to content

[Security] Visual event analyzer updates #2606

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

[Security] Visual event analyzer updates #2606

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
276f7c0
[Security] Visual event analyzer updates
natasha-moore-elastic Aug 18, 2025
129f060
Apply suggestions from code review
natasha-moore-elastic Aug 18, 2025
9d02327
match UI term
natasha-moore-elastic Aug 18, 2025
97fe05f
update time filter name
natasha-moore-elastic Aug 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file modified solutions/images/security-alert-pill.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file removed solutions/images/security-analyze-event-timeline.png
View file
Open in desktop
Binary file not shown.
Binary file removed solutions/images/security-data-view-selection.png
View file
Open in desktop
Binary file not shown.
Binary file removed solutions/images/security-date-range-selection.png
View file
Open in desktop
Binary file not shown.
Binary file removed solutions/images/security-event-details.png
View file
Open in desktop
Binary file not shown.
Binary file removed solutions/images/security-event-type.png
View file
Open in desktop
Binary file not shown.
Binary file removed solutions/images/security-full-screen-analyzer.png
View file
Open in desktop
Binary file not shown.
Binary file removed solutions/images/security-graphical-view.png
View file
Open in desktop
Binary file not shown.
Binary file removed solutions/images/security-node-legend.png
View file
Open in desktop
Binary file not shown.
Binary file modified solutions/images/security-process-details.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file removed solutions/images/security-process-list.png
View file
Open in desktop
Binary file not shown.
Binary file removed solutions/images/security-process-schema.png
View file
Open in desktop
Binary file not shown.
Binary file added solutions/images/security-visual-event-analyzer.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
108 changes: 28 additions & 80 deletions solutions/security/investigate/visual-event-analyzer.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,95 +53,55 @@ To find events that can be visually analyzed:

3. Events that can be visually analyzed are denoted by a cubical **Analyze event** icon. Select this option to open the event in the visual analyzer. The event analyzer is accessible from the **Hosts**, **Alerts**, and **Timelines** pages, as well as the alert details flyout.

:::{image} /solutions/images/security-analyze-event-button.png
:alt: analyze event button
:screenshot:
:::

::::{note}
Events that cannot be analyzed will not have the **Analyze event** option available. This might occur if the event has incompatible field mappings.
::::


:::{image} /solutions/images/security-analyze-event-timeline.png
:alt: analyze event timeline
:::{image} /solutions/images/security-analyze-event-button.png
:alt: analyze event button
:screenshot:
:::


::::{tip}
You can also analyze events from [Timelines](/solutions/security/investigate/timeline.md).
::::


::::{tip}
You can also analyze events from [Timelines](/solutions/security/investigate/timeline.md).
::::

## Visual event analyzer UI [visual-analyzer-ui]

Within the visual analyzer, each cube represents a process, such as an executable file or network event. Click and drag in the analyzer to explore the hierarchy of all process relationships.

To understand what fields were used to create the process, select the **Process Tree** to show the schema that created the graphical view. The fields included are:

* `SOURCE`: Indicates the data source—for example, `endpoint` or `winlogbeat`
* `ID`: Event field that uniquely identifies a node
* `EDGE`: Event field which indicates the relationship between two nodes

:::{image} /solutions/images/security-process-schema.png
:alt: process schema
:screenshot:
:::

Click the **Legend** to show the state of each process node.

:::{image} /solutions/images/security-node-legend.png
:alt: node legend
:screenshot:
:::

Use the date and time filter to analyze the event within a specific time range. By default, the selected time range matches that of the table from which you opened the alert.
Within the visual analyzer, each cube represents a process, such as an executable file or network event. In the analyzer, you can:

:::{image} /solutions/images/security-date-range-selection.png
:alt: date range selection
:screenshot:
:::
* Zoom in and out of the Analyzer Graph view using the slider
* Click and drag around the Analyzer Graph view to explore the hierarchy of all process relationships
* Observe child process events that spawned from the parent process
* Determine how much time passed between each process
* Identify all events related to each process

Select a different data view to further filter the alert’s related events.
Use the following icons to perform more actions:

:::{image} /solutions/images/security-data-view-selection.png
:alt: data view selection
:screenshot:
:::
* To understand what fields were used to create the process, select the **Process Tree** icon ({icon}`info`) to show the schema that created the Analyzer Graph view. The fields included are:

To expand the analyzer to a full screen, select the **Full Screen** icon above the left panel.
* `SOURCE`: Indicates the data source—for example, `endpoint` or `winlogbeat`
* `ID`: Event field that uniquely identifies a node
* `EDGE`: Event field that indicates the relationship between two nodes

:::{image} /solutions/images/security-full-screen-analyzer.png
:alt: full screen analyzer
:screenshot:
:::
* Click the **Legend** icon ({icon}`node`) to show the state of each process node.

The left panel contains a list of all processes related to the event, starting with the event chain’s first process. **Analyzed Events** — the event you selected to analyze from the events list or Timeline — are highlighted with a light blue outline around the cube.
* Select a different data view ({icon}`index_settings`) to further filter the alert’s related events.

:::{image} /solutions/images/security-process-list.png
:alt: process list
:screenshot:
:::
* Use the time filter ({icon}`calendar`) to analyze the event within a specific time range. By default, the selected time range matches that of the table from which you opened the alert.

In the graphical view, you can:

* Zoom in and out of the graphical view using the slider on the far right
* Click and drag around the graphical view to more process relationships
* Observe child process events that spawned from the parent process
* Determine how much time passed between each process
* Identify all events related to each process
* Click the list icon ({icon}`editor_unordered_list`) to open the preview analyzer panel. This displays a list of all processes related to the event, starting with the event chain’s first process. The **Analyzed Event**—the event you selected to analyze from the events list or Timeline—is highlighted with a light blue outline around the cube.

:::{image} /solutions/images/security-graphical-view.png
:alt: graphical view
:::{image} /solutions/images/security-visual-event-analyzer.png
:alt: visual event analyzer
:screenshot:
:::


## Process and event details [process-and-event-details]

To learn more about each related process, select the process in the left panel or the graphical view. The left panel displays process details such as:
To learn more about each related process, select the process in the preview analyzer panel or the Analyzer Graph view. The preview analyzer panel then displays process details such as:

* The number of events associated with the process
* The timestamp of when the process was executed
Expand All @@ -157,32 +117,20 @@ To learn more about each related process, select the process in the left panel o
:::

When you first select a process, it appears in a loading state. If loading data for a given process fails, click **Reload `{{process-name}}`** beneath the process to reload the data.
% Is this still valid?
Comment on lines 119 to +120
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @PhilippeOberti, is this statement still true? In the test environment I used, there was no loading state – the process details would appear immediately.


Access event details by selecting that event’s URL at the top of the process details view or choosing one of the event pills in the graphical view.
Access event details by selecting that event’s URL at the top of the process details view or choosing one of the event pills in the Analyzer Graph view. Events are categorized based on the `event.category` value.

Events are categorized based on the `event.category` value.

:::{image} /solutions/images/security-event-type.png
:alt: event type
:screenshot:
:::

When you select an `event.category` pill, all the events within that category are listed in the left panel. To display more details about a specific event, select it from the list.

:::{image} /solutions/images/security-event-details.png
:alt: event details
:screenshot:
:::
When you select an `event.category` pill (for example, **_x_ file** or **_x_ registry**), all the events within that category are listed in the preview analyzer panel. To display more details about a specific event, select it from the list.

::::{note}
- You must have the appropriate [{{stack}}](https://www.elastic.co/pricing) subscription or [{{serverless-short}} project tier](../../../deploy-manage/deploy/elastic-cloud/project-settings.md) to examine alerts associated with events.
- There is no limit to the number of events that can be associated with a process.
::::

To examine alerts associated with the event, select the alert pill (**_x_ alert**). The preview analyzer panel lists the total number of associated alerts, ordered from oldest to newest. Each alert shows the type of event that produced it (`event.category`), the event timestamp (`@timestamp`), and rule that generated the alert (`kibana.alert.rule.name`). Click on the rule name to open the alert’s details.

To examine alerts associated with the event, select the alert pill (**_x_ alert**). The left pane lists the total number of associated alerts, and alerts are ordered from oldest to newest. Each alert shows the type of event that produced it (`event.category`), the event timestamp (`@timestamp`), and rule that generated the alert (`kibana.alert.rule.name`). Click on the rule name to open the alert’s details.

In the example screenshot below, five alerts were generated by the analyzed event (`lsass.exe`). The left pane displays the associated alerts and basic information about each one.
In the example screenshot, the analyzed event (`sdclt.exe`) generated three alerts. The preview analyzer panel displays basic information about each one.

:::{image} /solutions/images/security-alert-pill.png
:alt: alert pill
Expand Down
Loading