Knowledge Graph
The Knowledge Graph is an interactive visual explorer that maps the relationships between entities involved in a security case. It is designed to help analysts understand how users, processes, endpoints, and external destinations are connected — particularly in complex cases where lateral movement, process trees, or multi-stage attack chains are present.
Accessing the Knowledge Graph
The Knowledge Graph is accessed from within a case in the Investigate module:
- Open a case in the Investigate module.
- In the case detail panel, click the Knowledge Graph tab.
The graph is built from the observations and telemetry records linked to that case.
What the Knowledge Graph Shows
The graph renders entities as nodes and relationships between them as edges. Entity types include:
- Endpoints (devices where activity was observed)
- Processes (executable files and their parent-child relationships)
- Users (identities associated with the activity)
- Network destinations (IP addresses and domains communicated with)
- Files (files created, modified, or accessed during the activity)
Edge labels describe the nature of the relationship — for example, spawned, connected to, wrote, or read.
Key Capabilities
Process tree visualisation
Click any process node to expand the full process execution lineage — parent process, child processes, and any grandchild processes. This is particularly useful for understanding how malware propagated or how a legitimate tool was abused.
Entity detail panel
Click any node to open the detail panel on the right-hand side. The panel shows:
- Entity attributes (process name, file path, IP address, username, etc.)
- The specific observations that link this entity to the case
- A link to the related telemetry record for further investigation
Collaboration
Add a comment to any node in the graph to share context with other analysts. Comments are visible to all users with access to the case.
Navigating the Graph
| Action | How |
|---|---|
| Pan | Click and drag the background |
| Zoom | Scroll wheel or pinch |
| Select a node | Single click |
| Multi-select | Shift + click |
| Expand a node's relationships | Double click |
| Reset the view | Click Reset zoom in the toolbar |
Feedback
If you have suggestions for improving the Knowledge Graph or want to request a new capability (for example exporting the graph as an image or comparing graphs across cases), contact support@senseon.io.