Visual event analyzeredit

Elastic Security allows any event detected by Elastic Endpoint to be analyzed using a process-based visual analyzer. This enables security analysts to drill down into all related hosts, processes, and other events to aid in their investigations.

Find events to analyzeedit

You can only visualize events triggered by hosts configured with the Elastic Endpoint Security Integration or any sysmon data from winlogbeat.

In KQL, this translates to any event with the agent.type set to either:

  • endpoint
  • winlogbeat with event.module set to sysmon

To access events that can be visually analyzed:

  1. Select ExploreHostsEvents. A list of all your hosts' events appears at the bottom of the Hosts page.
  2. Create a KQL query that filters all endpoint detected events by entering either agent.type:"endpoint" and process.entity_id : * or agent.type:"winlogbeat" and event.module: "sysmon" and process.entity_id : * into the KQL search bar, and then selecting Update.

    kql agent type
  3. For the event that you want to analyze, click the More actions button and select Analyze event. The visual analyzer view appears.

    Shows analyze event option

    Events that cannot be analyzed will not have the More actionsAnalyze event option available. This might happen if the event has incompatible field mappings.

    analyze event view

    You can also analyze events from Timelines.

Visual event analyzer UIedit

Inside the visual analyzer, each cube represents a process (e.g. an executable file or network event). Click and drag in timeline view to see all process relationships.

To understand what fields were used to create the process, select the Process Tree to view the schema that created the graphical view. The fields included are:

  • SOURCE: Can be either endpoint or winlogbeat
  • ID: Event field that uniquely identifies a node
  • EDGE: Event field which indicates the relationship between two nodes
process schema

View the Legend to understand the state of each process node.

node legend

To expand the analyzer to a full screen, select the Full Screen icon above the left panel.

full screen analyzer

The left panel contains a list of all processes related to the event, starting with the event chain’s first process. Analyzed Events, as in the event you selected to analyze from either the events list or your timeline, are highlighted by a light blue outline around the cube.

process list

In the graphical view, you can:

  • Zoom in and out of the graphical view using the slider to the right of the timeline
  • Click and drag around the graphical view to more process relationships
  • See the time passed between each process
  • See all events related to each process
graphical view

Process and event detailsedit

To see more details about each related process, select the process in the left panel or the graphical view. The left panel displays process details such as:

  • The number of events associated with the process
  • The timestamp of when the process was executed
  • The file path of the process within the host
  • The process-pid
  • The user name and domain that ran the process
  • Any other relevant process information
process details

When you first select a process, it appears in a loading state. If loading data for a given process fails, click Reload {process-name} beneath the process to reload the data.

See event details by selecting that event’s URL at the top of the process details view or choosing one of the event pills in the graphical view.

Events are categorized based on their event.category.

event type

When you select an event.category, pill, all the events within that category are listed in the left panel. To view more details about a specific event, select it from the list.

event details

In Elastic Stack version >= 7.10.0, there is no limit to the number of events that can be associated with a process. However, in Elastic Stack minor versions < = 7.9.0, each process is limited to only 100 events.