search

Attack Graph FAQ

This article details the Attack Graph feature for entities in the Vectra UI.

hashtag
Overview

Prior to the launch of Attack Graph, when viewing a host or account entity, the only visualization of the progression of an attack was the scoring timeline that showed the change in score over time of the entity in question:

Now there are 3 options, and clicking on the Attack Graph icon will allow you to select between the three different views (Attack Flow is shown below):

  • Attack Graph

    • A radial representation of the Attack Graph.

  • Attack Flow

    • A tree view that shows host or account entities that are targeting the host or account entity in the middle.

  • Attack Timeline

    • The existing scoring timeline as seen in the top screenshot above.

hashtag
Attack Graph Details

C2 Detections now show a “blast radius,” meaning that the attack graph will automatically expand to show all entities with a detection involving the same C2 domain or IP as the selected entity. This will give visibility into all entities that are affected by the same C2 infrastructure.

In the above example you can see that piper-desktop and dc2-aws-us-west-01 hosts were added to the attack graph for Deacon-desktop. They all share the same C2 domain fra16s18-in-f129.1e100.net that was identified in the Hidden HTTPS Tunnel.

hashtag
Attack Flow Details

In this example above, the left side of the graph shows any entities that are targeting the host or account that the graph is centered on.

  • The Hidden HTTPS Tunnel is connected an external host.

  • The Internal Stage Loader and Suspicious Remote Execution detections originated from piper-desktop and targeted Deacon-desktop.

  • While not specifically targeting Deacon-desktop from an attacker perspective, the New Host detection shows the MAC and IP addresses that were observed for this host when it was discovered as a New Host in the environment.

    • This is shown on the left side as it helps to add to the narrative around the host: It's new, it is being targeted by two detections from piper desktop, and it has a Hidden HTTPS Tunnel.

    • On the right side, it has several attacker behaviors that targeted other internal entities.

For internal host or account entities, if the target of the detection is internal, then they will show on the left side. For external host or account entities, the detection in question must be one of the below:

  • Hidden DNS Tunnel

  • Hidden HTTPS Tunnel

  • Hidden HTTP Tunnel

  • Hidden Tunnel

  • Suspicious HTTP

  • ICMP Tunnel

  • ICMP Tunnel: Client

  • ICMP Tunnel: Server

  • Azure AD Suspicious Activity from Cloud Provider

  • Azure AD Suspected Compromised Access

  • Azure AD MFA-Failed Suspicious Sign-On

  • Azure AD Brute-Force Attempt

  • Azure AD Successful Brute-Force

  • Azure AD Successful Brute-Force - Failed Login

  • Azure AD Login Attempt to Disabled Account

  • Azure AD Suspicious Sign-On

  • O365 Account Brute-Force

  • New Host

hashtag
Focused View

This feature is live in RUX deployments today and is scheduled to be available for QUX deployments in the 9.6 release.

This is a new feature that will continue to evolve over time and is based on Vectra's AI perspective. The goal is to reduce information overload that can happen in some graphs that contain many nodes and edges. It was designed to produce:

  • Less clutter, just a focused view on the links that matter.​

  • Less interpretation, just a clear view on how the attack progressed​

  • Less confusion, just a clear **perspective **on what to look at.

Initially, this filter removes Recon and Info detections from view on the Attack Graph/Flow. While these detections do help contribute to the overall story of an attack, they often do not need remediation actions taken on targeted host and account entities and typically won't be the initial focus of an investigation. The filter will be enabled by default in most cases but can easily be toggled off to see all details. When there a low number of host or account entities or detections the filter won't be enabled by default. Please see below for examples with the filter on and off:

Filter On:

Filter Off:

hashtag
Supported Detection Types

The following detection types are planned to be added in the future, and do not currently show in Attack Graph or Attack Flow views:

  • AWS User Hijacking

  • AWS User Permissions Enumeration

  • All CDR for Azure detections

  • Suspect Brute Force Activity

  • Suspect Protocol Activity

  • Suspect Kerberos Activity

  • Suspect LDAP Activity

  • Suspect NTLM Activity

  • Suspect SMB Activity

  • Suspicious Relay

  • Suspicious Kerberos Client

  • Kerberos Server Access

  • Credential Access via NTLM Relay

  • M365 Copilot Sensitive Data Discovery

  • Azure AD Cross-Tenant Access Change

  • Shell Knocker Client

  • Shell Knocker Server

  • SMB Brute-Force

  • SMB Account Scan

  • M365 Suspicious SharePoint Operation

  • Azure AD Suspicious Operation

  • M365 Suspicious Sign-on Activity

  • Vectra Threat Intelligence Match

All other detections that you are licensed for are supported for the Attack Graph feature.

PreviousGeneralNextAI-Triage in Detail

Last updated

Was this helpful?