Execution Profile

View objects and events using a dynamic and interactive visualization.

The Execution Profile offers a visualization of objects and events using a dynamic and interactive chain view instead of static analysis results. You can adjust the view by expanding or collapsing the chain to focus on the objects and events you want to investigate.

Click Save Progress to save the current view.


Saved Execution Profiles that you generated directly from the Observed Attack Techniques or Search apps are only accessible using the URL provided.

The following table describes different elements that compose the Execution Profile.



Left panels

Observed Attack Techniques panel

Lists the individual events detected in your environment and related MITRE information

You can click View event to further check the event details in the Observed Attack Techniques app.


Under Observed Attack Techniques, only detection filters at "Critical", "High", and "Medium" risk levels are listed based on the objects available in the current analysis chain.

Endpoints panel

Lists the affected endpoints and highlighted objects of the alert

Graph section

Chain view

Visualizes objects and events to facilitate an interactive investigation

You can click any node to view the detailed profile and check related events of the object. The initial analysis chain shows the most critical events as a baseline and allows you to add more events to the chain if necessary.

Right panels

Profile tab

Displays the details applicable to the selected object

Events tab

Displays the actions performed by the selected object

You can expand each action to check the objects involved in the event and choose to dynamically show them in or hide them from the chain view.

Sources tab

Displays the point of origin for the selected object, which is the additional information not shown in the chain view