Using real activity data, this talk journeys through graph approaches to visual analysis that answer questions that are difficult to see in traditional table-based views. We’ll walk through the following techniques in going from tables to graphs:

- Graph shaping: One of the most important decisions is how to represent tabular security data like logs, alerts, and telemetry as graph structures. We’ll start by identifying entities like users, hosts, and processes as nodes, and dynamic events and static relationships as edges, such as authentication, network traffic, and file access.
- Surfacing patterns, outliers, and behaviors: We’ll show how to use the resulting graph topology to quickly identify malicious behavior such as reconnaissance scanning and lateral movement. The before/after views give a clear view of how, for both machine and human use, the graph modeling turns seemingly complex correlation rules into obvious graph insights.
- Contextualizing Investigations: Understanding standard security alerts like credential compromises is hard because they require correlating multiple diverse data sources with entirely different kinds of data. That pushes the work onto the analyst to mentally integrate them for understanding the true scope, while graphs solve this almost for free.
- Handling time: Timelining is one of the most fundamental tasks in a security investigation, yet traditional tabular views make it hard to see what is happening when multiple entities are interacting over time. We will show how to solve such temporal multi-dimensional analysis problems for the incident with a few simple graph tricks.

We will introduce an end-to-end framework for transforming security tables into graphs that make complex threats visible at a glance.