About Nodes and Arrows in Investigation Graphs

Applies To: WatchGuard Advanced EPDR

The investigation graph window uses colors , information panels, and other resources to provide information about entities and the relationship between them. WatchGuard Endpoint Security uses the Process Tree template to present this information in graphs. This template is a graphical representation of the execution tree for a specific process, where nodes are entities that participate in an operation (such as processes, files, or communication or operation targets) and arrows are operations.

These are the different properties of a graph:

  • Node Colors and Icons — Classifies a node based on threat entities that participate in an operation, and the action taken on the item.
  • Arrow Colors and Styles — Indicates whether the item was blocked or not, the number and direction of the actions executed between the nodes, and the information about the process.

Node Colors and Icons

The label on a node indicates the name of the entity. When you click an entity, an information pane opens on the right with information about the entity The node color indicates the type of threat.

Color Description

Malware icon

Item classified as malware.

Item classified as a PUP, suspicious, or unclassified item.

(Original color)

Item classified as goodware.

Node icons represent the different entities that participated in an operation.

Icon Description Icon Description

Process. If it belongs to a known software package, the process icon is shown.

Compressed file

Remote thread

Executable file

Library

Script file

Protection

Windows registry branch value

Folder

URL used in a communication

Non-executable file

IP address in a communication

Status icons indicate the action taken on an item.

Icon Description Icon Description

File deleted

File quarantined

File disinfected

Process deleted

Arrow Colors and Styles

The label on an arrow indicates the name of the action taken by the process. When you click the label, an information pane describes the event that occurred.

The color of the arrows indicates whether WatchGuard Endpoint Security blocked or allowed the action.

  • Red — The action was classified as a threat and blocked by the protection software.
    • Block
    • BlockTimeout
    • BlockExploit
    • BlockBL
    • Disinfect
    • Delete
    • Quarantine
    • KillProcess
    • IPBlocked
  • Black — The action was allowed.

Arrow Styles

  • The numbers on the arrows indicate the order in which the event was recorded. The arrow style indicates the number and direction of the actions executed between the nodes. This includes:

    • Arrow Thickness — Represents the number of times the same type of action was executed between two nodes. The greater the number of actions, the thicker the arrow. When you click an arrow, the information panel shows the dates when the first and last actions in the group occurred.

    • Arrow Direction — Indicates the direction of the action.

    Default Display

    By default, the graph shows horizontally with the selected node at the center of the graph. It is surrounded by a subset of nodes related to that node:

    • The graph displays three levels of nodes above the main node.
    • The graph displays nodes one level below the main node.

    The graph can show up to a maximum of 25 nodes at the same level. When there are more than 25 nodes, the graph shows no nodes.

    Show Child Nodes

    The M icon in the bottom left corner of a node indicates that the node has hidden child nodes. To show child nodes, right-click the node. In the menu that opens, select one of these options:

    • Show Parent — Shows the parent nodes for the selected node.
    • Show All Activity (Number) — Shows all child nodes regardless of their type. The maximum number of nodes that can be shown is 25. The total number of events that link the parent node with the child node also shows.
    • Show Children — Opens a drop-down list. Select the type of child nodes you want to show and select the number of nodes for each type. The types of nodes include:
      • Data Files — Files with unidentified information.
      • Script Files — Files with command sequences.
      • Downloads — Data files downloaded from the Internet or network.
      • DNS — Domains that failed to resolve the IP address.
      • Windows Registry Entries — Entries of the registries done in Windows.
      • Compressed Files — Compressed data files.
      • PE Files — Executable files.
      • Remote Threads — Remote threads.
      • IPs — IP addresses for either end of the communication.
      • Libraries — Libraries.
      • Processes — Processes.
      • Protection — Action taken by the antivirus protection.

    When you select and right-click several nodes on the graph, only options that apply to all selected nodes show in the menu.

    Related Topics

    Investigation Graph Window

    Configure Graph Settings