Detailed Mindmap

Use the Detailed Mindmap screen to customize the mindmap.

The Mindmap provides a graphical representation of events and associated objects originating from an investigated suspicious object. This screen has the following parts:

  • Mindmap area: The mindmap area shows all the objects matched in the investigations. Objects colored red are suspicious objects or are linked to suspicious objects. Objects are represented by the following icons:

    Table 1. Mind Map View Legend

    Icon

    Type

    Description

    File

    Files created by the connected process.

    Process

    Processes that start other services or processes or create files. Processes usually have an associated user account displayed under the process name and connected to the process.

    IP address and port

    IP addresses that the connected process, service, or file attempted to connect to.

    Domain

    Domains that the connected process, service, or file attempted to connect to.

    User account

    The user account with domain that started the connected process, service, or file.

    Service

    Services that start other processes or services or create files.

    Services usually have an associated user account displayed under the service name and connected to the service.

    Registry

    Registry operations implemented by a process, service or module, especially for autorun process.

    Autorun Process

    Autorun processes that are started by a registry autorun key.

    Module

    Modules loaded by a process or service.

    Signature

    System signatures, such as Event, Semaphore, Mutant, etc.

    Inject API

    APIs that are used to inject into a process.

    Winnet API

    APIs that are used to connect to a network and transfer information.

    URL download file

    Files that are downloaded from a URL.

    Unknown

    Unknown modules and files.

    Internet API

    APIs that are used to connect to the internet via application level, e.g. HTTP/FTP, etc.

    Click and drag the mindmap area to navigate around the mindmap. To show a submenu for customizing the mindmap, click an object in the mindmap area.

    Use the tooltip on the left to review the details of the selected object. The tooltip pulls these details from the Object List screen.

    Use the submenu on the right to review and edit the mindmap:
    Table 2. Customization Options for Mindmap
    Submenu item Description

    Expand

    Expands the selected branch to show objects affected further down the chain

    Expand All

    Expands all the branches in the mindmap to show objects affected further down the chain

    Collapse

    Hides the expanded branch of the selected object. This option appears only if the object has an expanded branch

    Collapse all

    Hides all the expanded branches. This option appears only if at least one object has an expanded branch.

    Remove from root cause chain

    Unmarks the object as suspicious and turns the icon blue

    Add to root cause chain

    Marks the object as suspicious and turns the icon red

  • Contents pane: The Contents pane lists all the objects appearing in the mindmap. The objects are organized according to the Root Cause Chain they belong to. Click an item in the Contents pane to center that item on the mindmap area. To increase the space available for the mindmap area, click to hide the Contents pane.

  • Current Screen: Use the Current Screen to determine the location of the object in relation to the area of the mindmap.
    • The gray box represents the full area of the mindmap. This box expands as more branches are added to the initial Root Cause Chain.

    • The box with the blue outline represents the current area being viewed. If the screen is resized, this box resizes to match the new screen size.