PowerShell Incident graphs in EDR do not have the expected MITRE-enriched nodes in the process lineage
search cancel

PowerShell Incident graphs in EDR do not have the expected MITRE-enriched nodes in the process lineage

book

Article ID: 190371

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

When reviewing PowerShell incidents in the EDR section of CDM, you are expecting to see MITRE-enriched neighbors in the lineage graph. All other types of Incidents have this process lineage and MITRE-enriched data for each node.

Resolution

These additional nodes are collected and associated with the lineage because they're important for analysis and investigation. These are expected for all other Incidents with lineage, except for PowerShell incidents.
Powered by Wolken Software