Skip to content

Event Lineage๐Ÿ”—

Note

The terms Alerts and Investigations have recently been changed to Detections and Cases in Taegis XDR. You may still see references to the old terms while we continue to work towards platform convergence of Sophos and Taegis technologies. For more information, see Taegis Terminology Updates.

The Lineage tab in process and detection finding events displays a visual, interactive view of the process tree, including the ancestry of the process you're viewing, how many child processes exist, and how many detections are associated with each process. It helps you understand how a sequence of events developed, where it may have impacted your environment, and what the results were.

View a Lineage๐Ÿ”—

  1. Access a lineage by opening a process or detection finding event details page. Events are visible in search results, cases, and from detection details pages.
  2. From the event details, select the Lineage tab.
  3. A graph displays the process you are viewing with any ancestry and child processes.

Lineage Tab

Note

Lineage displays only processes from the last 30 days; older processes are not shown. If the source process event itself is more than 30 days old, the Lineage tab is disabled.

Tip

Search for process and detection finding events in Query Editor with the following queries: FROM process and FROM detectionfinding.

Explore a Lineage๐Ÿ”—

The lineage graph may show the following information, when available:

Lineage Graph

  1. Process creation date and time
  2. An icon indicating a process is elevated
  3. Process name
  4. Orange highlighted icon indicating detections are associated with the process
  5. Count of associated detections, key activities, or related events
  6. The number of hidden child processes of a process
  7. The time difference between two processes
  8. An icon indicating a process is blocked
  9. An icon indicating a process is the source event

Tip

Select the Legend tooltip at the top right of the graph to see the list of icons that may appear in the graph and their meanings.

Lineage Legend

See More Details of a Process๐Ÿ”—

See more details of a process in the following ways:

  • Hover over a process node to show basic details, the full image path, username with annotation if the user is an admin, and a link to open the event details in a new tab.

    Hover Over a Process

  • Click a process node in the lineage to open the Info tab below the graph.

    Open Info Tab

    The Info tab shows process details and the command line. Take the following actions from the Info tab:

    • Select the Process Name to open the event details in a new tab.
    • Select the Magnifying Glass next to a field to perform a pivot search based on that field.

Tip

To resize, use the handle above the tabs below the graph.

See Key Activities๐Ÿ”—

The Key Activities tab below the graph shows any key activities associated with the selected process node that were generated by Sophos Endpoint Agents.

Note

The Key Activities tab only shows if you have Sophos Agents in your environment.

View the Key Activities tab in two ways:

  • Select the Key Activities link below a process node in the graph.
  • Alternatively, select a process node in the graph and then select the Key Activities tab.

Open Key Activities Tab

Key activities are surfaced from Sophos Agents, which capture endpoint events that have security value. These are snapshots of processes performing actions that could be indicators of compromise, are potentially suspicious, and require elevation inside of the process lineage.

Key activities comprise the following:

  • Event type: The event as surfaced by the underlying detection event triggered on the endpoint.
  • Activity value: Key data surfaced from the event.

  • Raw Data: The entire raw data object. Click View Raw Data to see this in a drawer.

    Key Activity Raw Data

See Child Processes๐Ÿ”—

The Child Processes tab below the graph shows child process events of the selected process node. View the Child Processes tab in two ways:

  • Select a count of child processes from the graph.
  • Alternatively, select a process node in the graph and then select the Child Processes tab.

Open Child Processes Tab

Select a Process Name to open the event details in a new tab.

Show Child Processes in the Lineage๐Ÿ”—

You can add these child processes to the lineage graph to help investigate threats.

  • To add a single process, click the Eye icon from the Actions column. Click the icon again to hide the process.
  • To add multiple processes, use the checkboxes at the left to select the desired processes and click Add to Graph. Use the checkboxes and click Remove from Graph to hide the processes.

Open Child Processes Tab

See Associated Detections๐Ÿ”—

The Detections tab below the graph shows any detections generated from the selected process node. View the Detections tab in two ways:

  • Select a count of detections below a process node in the graph.
  • Alternatively, select a process node in the graph and then select the Detections tab.

Open Detections Tab

Select a Detection Title to open the details in a drawer without losing your place in the lineage graph.

The Related Events tab below the graph shows any related, correlated events associated with the selected process node. Correlation occurs using an algorithm that searches any events in the data lake for your tenant that have matching process identifiers. In other words, they were surfaced from the same process.

This helps you understand the event by examining other related event types captured in your environment.

Related events are labeled by type with a count in the graph beneath the process node. Supported related event types are as follows:

  • DNS (dnsquery)
  • File Mod (filemod)
  • HTTP (http)
  • Netflow (netflow)
  • Registry (registry)
  • Script Block (scriptblock)

All other event types are categorized as Other.

View the Related Events tab in two ways:

  • Select a Related Events link below a process node in the graph.
  • Alternatively, select a process node in the graph and then select the Related Events tab.

Open Related Events Tab

Click Next 3 Days to expand your search for related events in three-day increments past the default window of 24 hours after process creation.

Copy the Lineage๐Ÿ”—

To copy the displayed lineage graph as a text-based process tree of nodes to your clipboard, click Copy from the top right of the graph. You can enhance a case by using this copied tree in the notes.