The Relationship Graph page in the QRadar® Advisor with Watson™ app shows you
details about the selected incident you are investigating. By filtering through the observables and
viewing the relationships, you can learn more about the offense.
Before you begin
You must submit an offense to Watson for
investigation or configure offenses to be automatically investigated before you can view the
relationship graph.
About this task
On the Relationship Graph page, you can view the results of your
investigation in graph form. The relationship graph shows insights that are found during each phase
of the investigation.
Procedure
-
Click Graph Relationships to open the Relationship Graph page.
- From the Watson Investigations page, click an offense and then click
Graph Relationships.
- From the Offense page, double-click an offense. Click
Graph Relationships.
-
On the Relationship Graph page, you can view the resulting graph. The
graph uses colors and icons to illustrate the following information:
Example observable |
Description |
 |
Yellow highlight indicates the root
node. |
 |
Red icons represent malicious
nodes. |
 |
Blue circled icons indicate clustered nodes. The number specifies how many nodes are
clustered.
|
 |
Double circled icons indicate assets that have a high value as assigned in your QRadar
system. The number specifies the asset weight that is assigned to the asset. Assets that are
assigned weights with 7 or higher are shown as high value assets (available in V1.9.0 or
later). |
 |
Double circled user icons indicate important user and machine service accounts that are
considered high value. Note: High value users or service accounts are found in the following
reference sets: "UBA : Executive Users" and "UBA : Service, Machine Account". |
-
Determine whether you agree, disagree, or are not sure of Watson's evaluation of the offense
priority. You can also click Change Evaluation to change your evaluation of
the offense priority. Tip: The more offenses you evaluate, the better the model will become at
learning your environment.
- You can filter the following options to view the specific data on the graph:
Table 1. Filter graph
Filter options |
Description |
Relationships |
Select a relationship to focus on local and enhanced links.
|
Scenarios |
Shows the option to focus on Malware Executed if configured. |
Concern |
Select a concern level to focus on specific concern levels. |
Observables |
Select observable types to focus on specific details of the incident. The observables that
are shown on the graph are sized to represent relevance as indicated by the concern level. For more
information, see Viewing details for the selected observable or relationship. |
MITRE ATT&CK Tactics & Techniques |
Select tactics and any associated techniques to focus on specific events related to the
offense. |
References |
Depending on the observable you select, you can filter on the following associated data
sources:
|
-
Click an observable or relationship on the graph to open the details pane.
-
You can click Export to select an export type from the following
choices:
Option |
Description |
Export to STIX |
Click Export to STIX to download the analysis results of your
investigation to STIX format. For more information, see Exporting your analysis results to STIX. |
Export to CSV |
Click Export to CSV to download the analysis results of your
investigation to CSV format. For more information, see Exporting your analysis results to CSV. |
Export to Reference Set |
Click Export to Reference Set to select observable types and then
click Export to export sufficiently toxic observables that are found during
the investigation. Note: You do not have to create the reference set before an export occurs. The
reference set is created only when the analysis contains values to export.
For more
information, see Exporting reference sets. |
Example
The following example shows the light theme UI of the relationship graph on
QRadar Advisor with Watson 2.6.0.
The following example shows the dark theme UI of the relationship graph on QRadar Advisor with Watson 2.6.0 and QRadar
Analyst Workflow 1.2.0.