| Solution | Overview of the intrusion graph. The Intrusion Graph is a visual representation of a Composite Alert in FortiCNAPP. It displays the relationships between machines, identities, IP addresses, and other entities within a single alert. This feature complements the existing Observation Timeline. Problem Addressed by the intrusion graph. Composite Alerts frequently involve multiple entities, such as: -
Several identities (users, roles, service principals). -
Multiple machines or compute resources. -
Network sources and destinations, DNS names, processes, APIs, and other resources. Before the introduction of the Intrusion Graph, customers often encountered challenges such as: -
Understanding why specific identities and machines appeared in the same Composite Alert. -
Determining the relationships between resources. -
Identifying starting points for investigations. The Intrusion Graph addresses these challenges by: -
Explaining relationships between entities through visual connections based on actions, including: -
An identity assuming a role. -
An identity creating another identity. -
Privilege escalation events. -
New internal network connections between machines. -
Entities exhibiting similar suspicious behavior. -
Providing a compact visual summary by aggregating entities and observations, removing the time axis, and presenting a concise overview of the alert. -
Highlighting pivot points for investigation, such as: -
Methods of resource access (source locations, IP addresses, DNS names). -
Actions performed by resources (processes launched, APIs called, key operations). Entities in the graph can be selected to access detailed information. Accessing the intrusion graph. To access the Intrusion Graph for a Composite Alert: -
In the admin's tenant, navigate to Alerts. -
Open a Composite Alert (for example, a 'Potentially Compromised [Cloud] Identity' alert). -
Select the Observations tab. -
The Intrusion Graph panel is displayed for alerts that have evolved (been updated with new signals) after November 18, 2025.  Note: For alerts that have not been updated with new signals since November 18, 2025, the Intrusion Graph may not be available. Interpreting the intrusion graph. The intrusion graph typically contains: -
Nodes (entities): -
Identities (users, roles, service principals). -
Machines, hosts, containers. -
IP addresses and DNS names. -
Processes, APIs, and other relevant resources. -
Edges (relationships): Actions such as 'Assumed role', 'Created identity', 'Escalated privileges', 'Connected to', or 'Performed similar suspicious activity'. Practical reading tips: -
Locate the primary suspicious entity, which is often highlighted. -
Follow the edges: -
Incoming edges indicate how the entity was accessed (originating identities, IP addresses, or DNS names). -
Outgoing edges show actions performed by the entity (lateral movement, privilege changes, external connections). -
Use the Intrusion Graph in conjunction with the Observation Timeline to identify key entities and relationships, and to review the timing and evidence of each step. Example investigation workflow: -
Open the Composite Alert and review the summary (severity, type, impacted cloud). -
Navigate to the Intrusion Graph on the Observations tab. -
Identify the main suspect entity (such as an IAM user, role, service principal, or machine). -
Trace the access path by examining IP addresses, DNS names, or identities leading to the entity. -
Trace impact and follow-on actions by reviewing edges indicating role assumptions, new identity creation, privilege escalation, or new internal connections. -
Select entities in the graph to view detailed observations and activity history. -
Correlate findings with the Observation Timeline to validate the sequence of events and timestamps. -
Determine the appropriate response, such as rotating or revoking credentials, restricting permissions, isolating machines, or opening an internal incident. Availability and limitations. -
The Intrusion Graph is generally available for all FortiCNAPP customers as of December 1, 2025. -
The feature is supported for Composite Alerts that have evolved since November 18, 2025. -
The Intrusion Graph is not displayed for single-signal alerts (such as compliance or anomaly alerts); standard alert details and evidence should be used in these cases. Related document: Getting started |
