Execution Profile

The execution profile visualizes objects and events using a dynamic and interactive chain view, instead of static analysis results.

The following table describes different elements that compose the execution profile.



Summary panel

Displays general information about the selected node, objects involved, and related attack techniques

  • Endpoint: The host name of the endpoint that was investigated

  • Criteria:

    The specific criteria based on which Workbench generates the execution profile, namely, the highlighted objects that triggered the alert

  • Observed Attack Techniques: The individual events detected in your environment and related MITRE information

    You can click Search Event UUID to create a new search query with the event UUID in the Search app.


    Under Observed Attack Techniques, only detection filters at "Critical", "High", and "Medium" risk levels are listed based on the objects available in the current analysis chain.

Chain view

Visualizes objects and events to facilitate an interactive investigation

You can click any node to view the detailed profile and check related events of the object. The initial analysis chain shows the most critical events as a baseline and allows you to add more events to the chain if necessary.

Profile tab

Displays the details applicable to the selected object

Events tab

Displays the actions performed by the selected object

You can expand each action to check the objects involved in the event and choose to dynamically show them in or hide them from the chain view.