|
| 1 | +--- |
| 2 | +slug: /serverless/security/visual-event-analyzer |
| 3 | +title: Visual event analyzer |
| 4 | +description: Examine events and processes in a graphical timeline. |
| 5 | +tags: [ 'serverless', 'security', 'how-to' ] |
| 6 | +status: in review |
| 7 | +--- |
| 8 | + |
| 9 | +<DocBadge template="technical preview" /> |
| 10 | +<div id="visual-event-analyzer"></div> |
| 11 | + |
| 12 | +((elastic-sec)) allows any event detected by ((elastic-endpoint)) to be analyzed using a process-based visual analyzer, which shows a graphical timeline of processes that led up to the alert and the events that occurred immediately after. Examining events in the visual event analyzer is useful to determine the origin of potentially malicious activity and other areas in your environment that may be compromised. It also enables security analysts to drill down into all related hosts, processes, and other events to aid in their investigations. |
| 13 | + |
| 14 | +<DocCallOut title="Tip"> |
| 15 | +If you're experiencing performance degradation, you can <DocLink slug="/serverless/security/advanced-settings" section="exclude-cold-and-frozen-tier-data-from-analyzer-queries">exclude cold and frozen tier data</DocLink> from analyzer queries. |
| 16 | +</DocCallOut> |
| 17 | + |
| 18 | +<div id="find-events-analyze"></div> |
| 19 | + |
| 20 | +## Find events to analyze |
| 21 | + |
| 22 | +You can only visualize events triggered by hosts configured with the ((elastic-defend)) integration or any `sysmon` data from `winlogbeat`. |
| 23 | + |
| 24 | +In KQL, this translates to any event with the `agent.type` set to either: |
| 25 | + |
| 26 | +* `endpoint` |
| 27 | +* `winlogbeat` with `event.module` set to `sysmon` |
| 28 | + |
| 29 | +To find events that can be visually analyzed: |
| 30 | + |
| 31 | +1. First, display a list of events by doing one of the following: |
| 32 | + * Go to **Explore** → **Hosts**, then select the **Events** tab. A list of all your hosts' events appears at the bottom of the page. |
| 33 | + * Go to **Alerts**, then scroll down to the Alerts table. |
| 34 | + |
| 35 | +1. Filter events that can be visually analyzed by entering either of the following queries in the KQL search bar, then selecting **Enter**: |
| 36 | + * `agent.type:"endpoint" and process.entity_id :*` |
| 37 | + |
| 38 | + Or |
| 39 | + |
| 40 | + * `agent.type:"winlogbeat" and event.module: "sysmon" and process.entity_id : *` |
| 41 | + |
| 42 | +1. Events that can be visually analyzed are denoted by a cubical **Analyze event** icon. Select this option to open the event in the visual analyzer. The event analyzer is accessible from the Hosts, Alerts, and Timelines pages, as well as the alert details flyout. |
| 43 | + |
| 44 | + <DocCallOut title="Tip"> |
| 45 | + Turn on the `securitySolution:enableVisualizationsInFlyout` <DocLink slug="/serverless/security/advanced-settings" section="visualizations-in-flyout">advanced setting</DocLink> to access the event analyzer from the **Visualize** tab in the alert or event details flyout. |
| 46 | + </DocCallOut> |
| 47 | + |
| 48 | + <DocImage size="xl" url="../images/visual-event-analyzer/-detections-analyze-event-button.png" alt="Shows analyze event option" /> |
| 49 | + |
| 50 | + <DocCallOut title="Note"> |
| 51 | + Events that cannot be analyzed will not have the **Analyze event** option available. This might occur if the event has incompatible field mappings. |
| 52 | + </DocCallOut> |
| 53 | + |
| 54 | +  |
| 55 | + |
| 56 | + <DocCallOut title="Tip"> |
| 57 | + You can also analyze events from <DocLink slug="/serverless/security/timelines-ui">Timelines</DocLink>. |
| 58 | + </DocCallOut> |
| 59 | + |
| 60 | +<div id="visual-analyzer-ui"></div> |
| 61 | + |
| 62 | +## Visual event analyzer UI |
| 63 | + |
| 64 | +Within the visual analyzer, each cube represents a process, such as an executable file or network event. Click and drag in the analyzer to explore the hierarchy of all process relationships. |
| 65 | + |
| 66 | +To understand what fields were used to create the process, select the **Process Tree** to show the schema that created the graphical view. The fields included are: |
| 67 | + |
| 68 | +* `SOURCE`: Can be either `endpoint` or `winlogbeat` |
| 69 | +* `ID`: Event field that uniquely identifies a node |
| 70 | +* `EDGE`: Event field which indicates the relationship between two nodes |
| 71 | + |
| 72 | + |
| 73 | + |
| 74 | +Click the **Legend** to show the state of each process node. |
| 75 | + |
| 76 | + |
| 77 | + |
| 78 | +Use the date and time filter to analyze the event within a specific time range. By default, the selected time range matches that of the table from which you opened the alert. |
| 79 | + |
| 80 | + |
| 81 | + |
| 82 | +Select a different data view to further filter the alert's related events. |
| 83 | + |
| 84 | + |
| 85 | + |
| 86 | +To expand the analyzer to a full screen, select the **Full Screen** icon above the left panel. |
| 87 | + |
| 88 | + |
| 89 | + |
| 90 | +The left panel contains a list of all processes related to the event, starting with the event chain's first process. **Analyzed Events** — the event you selected to analyze from the events list or Timeline — are highlighted with a light blue outline around the cube. |
| 91 | + |
| 92 | + |
| 93 | + |
| 94 | +In the graphical view, you can: |
| 95 | + |
| 96 | +- Zoom in and out of the graphical view using the slider on the far right |
| 97 | +- Click and drag around the graphical view to more process relationships |
| 98 | +- Observe child process events that spawned from the parent process |
| 99 | +- Determine how much time passed between each process |
| 100 | +- Identify all events related to each process |
| 101 | + |
| 102 | + |
| 103 | + |
| 104 | +<div id="process-and-event-details"></div> |
| 105 | + |
| 106 | +## Process and event details |
| 107 | + |
| 108 | +To learn more about each related process, select the process in the left panel or the graphical view. The left panel displays process details such as: |
| 109 | + |
| 110 | +* The number of events associated with the process |
| 111 | +* The timestamp of when the process was executed |
| 112 | +* The file path of the process within the host |
| 113 | +* The `process-pid` |
| 114 | +* The user name and domain that ran the process |
| 115 | +* Any other relevant process information |
| 116 | +* Any associated alerts |
| 117 | + |
| 118 | + |
| 119 | + |
| 120 | +When you first select a process, it appears in a loading state. If loading data for a given process fails, click **Reload `{process_name}`** beneath the process to reload the data. |
| 121 | + |
| 122 | +Access event details by selecting that event's URL at the top of the process details view or choosing one of the event pills in the graphical view. |
| 123 | + |
| 124 | +Events are categorized based on the `event.category` value. |
| 125 | + |
| 126 | + |
| 127 | + |
| 128 | +When you select an `event.category` pill, all the events within that category are listed in the left panel. To display more details about a specific event, select it from the list. |
| 129 | + |
| 130 | + |
| 131 | + |
| 132 | +<DocCallOut title="Note"> |
| 133 | +There is no limit to the number of events that can be associated with a process. |
| 134 | +</DocCallOut> |
| 135 | + |
| 136 | +You can also examine alerts associated with events. |
| 137 | + |
| 138 | +To examine alerts associated with the event, select the alert pill (**_x_ alert**). The left pane lists the total number of associated alerts, and alerts are ordered from oldest to newest. Each alert shows the type of event that produced it (`event.category`), the event timestamp (`@timestamp`), and rule that generated the alert (`kibana.alert.rule.name`). Click on the rule name to open the alert's details. |
| 139 | + |
| 140 | +In the example screenshot below, five alerts were generated by the analyzed event (`lsass.exe`). The left pane displays the associated alerts and basic information about each one. |
| 141 | + |
| 142 | + |
![mergify[bot]](https://avatars.githubusercontent.com/in/10562?v=4&size=40){kind=avatar}
0 commit comments