Visual event analyzer
Elastic Security allows any event detected by Elastic Endpoint or supported third-party integrations to be analyzed using a process-based visual analyzer, which shows a graphical timeline of processes that led up to the alert and the events that occurred immediately after. Examining events in the visual event analyzer is useful to determine the origin of potentially malicious activity and other areas in your environment that may be compromised. It also enables security analysts to drill down into all related hosts, processes, and other events to aid in their investigations.
If you’re experiencing performance degradation, you canexclude cold and frozen tier data from analyzer queries. This setting is only available for the Elastic Stack.
You can visualize events from the following sources:
- Elastic Defend integration
- Sysmon data collected through Winlogbeat
- Third-party integrations:
- CrowdStrike (Falcon logs collected through Event Stream or FDR)
- SentinelOne Cloud Funnel
- Microsoft Defender for Endpoint
In KQL, this translates to any event with theagent.type set to:
endpointwinlogbeatwithevent.moduleset tosysmonfilebeatwithevent.moduleset tocrowdstrikefilebeatwithevent.moduleset tosentinel_one_cloud_funnelfilebeatwithevent.moduleset tomicrosoft_defender_endpoint
The visual analyzer also supports analyzingevent.kind: "alert" events from third-party integrations. To view these events, your role must haveread privileges for thealerts-security.alerts-* indices.
To find events that can be visually analyzed:
First, display a list of events by doing one of the following:
- FindHosts in the main menu, or search for
Security/Explore/Hostsby using theglobal search field, then select theEvents tab. A list of all your hosts' events appears at the bottom of the page. - FindAlerts in the main menu or by using theglobal search field, then scroll down to the Alerts table.
- FindHosts in the main menu, or search for
Filter events that can be visually analyzed by entering one of the following queries in the KQL search bar, then selectingEnter:
agent.type:"endpoint" and process.entity_id :*agent.type:"winlogbeat" and event.module: "sysmon" and process.entity_id : *agent.type:"filebeat" and event.module: "crowdstrike" and process.entity_id : *agent.type:"filebeat" and event.module: "sentinel_one_cloud_funnel" and process.entity_id : *agent.type:"filebeat" and event.module: "microsoft_defender_endpoint" and process.entity_id : *
Events that can be visually analyzed are denoted by a cubicalAnalyze event icon. Select this option to open the event in the visual analyzer. The event analyzer is accessible from theHosts,Alerts, andTimelines pages, as well as the alert details flyout.
NoteEvents that cannot be analyzed will not have theAnalyze event option available. This might occur if the event has incompatible field mappings.
You can also analyze events fromTimelines.
Within the visual analyzer, each cube represents a process, such as an executable file or network event. In the analyzer, you can:
- Zoom in and out of the Analyzer Graph view using the slider
- Click and drag around the Analyzer Graph view to explore the hierarchy of all process relationships
- Observe child process events that spawned from the parent process
- Determine how much time passed between each process
- Identify all events related to each process
Use the following icons to perform more actions:
To understand what fields were used to create the process, select theProcess Tree icon () to show the schema that created the Analyzer Graph view. The fields included are:
SOURCE: Indicates the data source—for example,endpointorwinlogbeatID: Event field that uniquely identifies a nodeEDGE: Event field that indicates the relationship between two nodes
Click theLegend icon () to show the state of each process node.
Select a different data view () to further filter the alert’s related events.
Use the time filter () to analyze the event within a specific time range. By default, the selected time range matches that of the table from which you opened the alert.
Click the list icon () to open the preview analyzer panel. This displays a list of all processes related to the event, starting with the event chain’s first process. TheAnalyzed Event—the event you selected to analyze from the events list or Timeline—is highlighted with a light blue outline around the cube.
