Viewing the relationship graph

The Relationship Graph page in the QRadar® Advisor with Watson™ app shows you details about the selected incident you are investigating. By filtering through the observables and viewing the relationships, you can learn more about the offense.

Before you begin

You must submit an offense to Watson for investigation or configure offenses to be automatically investigated before you can view the relationship graph.

About this task

On the Relationship Graph page, you can view the results of your investigation in graph form. The relationship graph shows insights that are found during each phase of the investigation.

Procedure

  1. Click Graph Relationships to open the Relationship Graph page.
    • From the Watson Investigations page, click an offense and then click Graph Relationships.
    • From the Offense page, double-click an offense. Click Graph Relationships.
  2. On the Relationship Graph page, you can view the resulting graph. The graph uses colors and icons to illustrate the following information:
    Example observable Description
    Yellow highlighted icon Yellow highlight indicates the root node.
    Red icon Red icons represent malicious nodes.
    Blue circled icon Blue circled icons indicate clustered nodes. The number specifies how many nodes are clustered.
    Asset with double circle icon Double circled icons indicate assets that have a high value as assigned in your QRadar system. The number specifies the asset weight that is assigned to the asset. Assets that are assigned weights with 7 or higher are shown as high value assets (available in V1.9.0 or later).
    User with double circle icon Double circled user icons indicate important user and machine service accounts that are considered high value. Note: High value users or service accounts are found in the following reference sets: "UBA : Executive Users" and "UBA : Service, Machine Account".
  3. Determine whether you agree, disagree, or are not sure of Watson's evaluation of the offense priority. You can also click Change Evaluation to change your evaluation of the offense priority. Tip: The more offenses you evaluate, the better the model will become at learning your environment.
  4. You can filter the following options to view the specific data on the graph:
    Table 1. Filter graph
    Filter options Description
    Relationships Select a relationship to focus on local and enhanced links.
    • Local - in offense: Displays edges and links that are discovered in the local graph generation phase that collects information from your QRadar instance.
    • Watson Enriched: Displays enhanced edges and links that are discovered during the enriched graph generation phase that collects incident information from IBM® X-Force® Exchange.
    • Local - outside offense: Displays edges and links that are related to observables not in the original offense that are discovered in your local QRadar environment during the Watson enriched analysis. The expanded local context analysis provides further evidence of malicious activity.
      Note: If no additional observables are found during the Watson enriched investigation, then nothing is available to investigate for Expanded local context.
    • Local Blocked : Displays blocked events and blocked flows in the knowledge graph. Note: Blocked events are determined by inspecting the low-level category of the events to determine if connections might be blocked or not. The connection is reported as blocked if access denied entries exist in the event low-level category. Blocked flows are determined by examining the destination bytes transferred and the protocol. If the protocol is tcp_ip, the bytes are totaled and if destinationBytes is equal to zero, the flow is blocked.
    • Watson Enriched Block: Displays enrichments that point to a locally blocked entity such as an IP address. The local entity shows as blocked in the graph.
    Scenarios Shows the option to focus on Malware Executed if configured.
    Concern Select a concern level to focus on specific concern levels.
    Observables Select observable types to focus on specific details of the incident. The observables that are shown on the graph are sized to represent relevance as indicated by the concern level. For more information, see Viewing details for the selected observable or relationship.
    MITRE ATT&CK Tactics & Techniques Select tactics and any associated techniques to focus on specific events related to the offense.
    References

    Depending on the observable you select, you can filter on the following associated data sources:

    • IBM X-Force Exchange
    • Trusted Business Partner threat intelligence
      Note: Because of licensing restrictions, the data provider is not displayed.
    • Open source intelligence
  5. Click an observable or relationship on the graph to open the details pane.
  6. You can click Export to select an export type from the following choices:
    Option Description
    Export to STIX Click Export to STIX to download the analysis results of your investigation to STIX format. For more information, see Exporting your analysis results to STIX.
    Export to CSV Click Export to CSV to download the analysis results of your investigation to CSV format. For more information, see Exporting your analysis results to CSV.
    Export to Reference Set Click Export to Reference Set to select observable types and then click Export to export sufficiently toxic observables that are found during the investigation.
    Note: You do not have to create the reference set before an export occurs. The reference set is created only when the analysis contains values to export.
    For more information, see Exporting reference sets.

Example

The following example shows the light theme UI of the relationship graph on QRadar Advisor with Watson 2.6.0.
Relationship graph light theme UI 2.6.0
The following example shows the dark theme UI of the relationship graph on QRadar Advisor with Watson 2.6.0 and QRadar Analyst Workflow 1.2.0.
Relationship graph on dark theme UI 2.6.0