Investigations

Overview of Process Investigations in the Spyderbat Console — the Records Panel, Causal Tree, and Details Panel for visual causal analysis of Spydertraces.

A Process Investigation is Spyderbat's visual causal analysis tool. It takes a Spydertrace — a complete record of causally connected activity on a system — and lets you explore every process, connection, and event in a navigable Causal Tree. Instead of piecing together log lines, you see the full chain of cause and effect.

Starting an Investigation

Investigations can be launched from Search results. Navigate to Search Page, run a query that returns Spydertraces, then select one or more traces using the checkboxes. A toast bar appears at the bottom of the screen with action buttons — click Start Process Investigation.

Search results with traces selected and the action toast showing Start Process Investigation

The Investigation view opens in a new browser tab. It has three main areas: the Records panel (left), the Causal Tree (right), and the Details panel (below the tree).

Records Panel

The Records panel on the left side controls what data is available for investigation.

Hosts and Time Range

At the top, the Hosts dropdown selects which machine(s) to query. Below it, the time range picker lets you adjust the window of activity. Click Run New Search to refresh results for a different host or time range.

Data Layers

Data Layers appear below the time range. Each search or dashboard card that feeds into the investigation creates a separate data layer. You can toggle layers on or off to focus on specific subsets of data — similar to layers in a graphics editor. The layer count (e.g., "Data Layers (2)") shows how many are loaded.

Record Type Tabs

Records are organized into tabs by type:

Spydertrace — Complete traces of causally connected activity
Red Flags — Security-relevant events detected by Spyderbat. See Custom Flags for creating your own detections.
Process — Individual process records
Connection — Network connections
Container — Container-level records

Each tab shows a count of matching records. Select a tab to browse records of that type.

Adding Records to the Causal Tree

To visualize a record in the Causal Tree:

Click the star icon on an individual record row to add it to the graph
Click Add All above the records table to add all visible records at once
Use Show in Graph to jump to a record already displayed in the tree

Causal Tree

The Causal Tree is the core of the investigation — a visual graph showing causal relationships between processes, connections, and systems.

Node Types

S nodes — Systems (machines or hosts)
P nodes — Processes (individual commands or executables)
C nodes — Connections (network activity, linked to remote IPs and ports)

Grey badges next to process nodes indicate changes in the effective user or privilege level, giving immediate visual context about who was executing what.

Mode Toggle

At the top of the Causal Tree, switch between two interaction modes:

Pan & Zoom — Click and drag to pan the view, scroll to zoom. Best for exploring large graphs.
Selection — Click nodes to select them, drag to box-select multiple nodes. Best for manipulating specific parts of the graph.

The toolbar provides these controls:

Clear All (trash icon) — Remove all nodes from the graph
Undo / Redo — Step backward or forward through graph changes
Auto Focus — Automatically center and zoom to fit all nodes
Zoom In / Zoom Out — Adjust zoom level (also available via scroll wheel)
Highlight nodes — A dropdown that color-codes nodes by a selected attribute (e.g., Container UID). Nodes sharing the same value get the same color, making it easy to spot container or host boundaries.
Options — Display toggles: Hide Threads, Show Relative Time, Hide Future Nodes, Hide Container Box, Hide Process Context Box
Copy Investigation Link (top right) — Generate a permalink to the current investigation state. Links are not public — the recipient must be a member of your organization with read access.
Summarize (top right) — Get an AI-generated summary of the investigation. See Spydertrace Summarize for details.

At the bottom of the Causal Tree:

Previous node / Next node — Cycle through nodes in chronological order
Add next N objects — When a Spydertrace contains more than 50 objects, only the first 50 load automatically. This button appears when more objects are available — click it to load the next batch. A progress indicator (e.g., "6 / 8 Objects Displayed") shows how many are currently loaded versus the total.

Interacting with Nodes

Left-click a node to select it and view its details in the Details panel
Right-click a node for a context menu with options to add or remove related nodes (children, descendants, connections, flags)

For a deeper guide on Causal Tree usage, see How to Use the Investigations Feature in Spyderbat.

Details Panel

The Details panel appears below the Causal Tree and shows metadata for the selected node or record. It is organized into expandable sections:

Process — Command line, executable path (shown when a process node is selected)
Spydertrace — Trace score, record counts (flags, processes, connections, systems)
Container — Container name, image, and runtime details
Parent Process — The parent process that spawned the selected process
System — Hostname, IP, and system identifiers
AWS — Cloud instance metadata (region, instance ID, etc.), when available

Click a different node in the Causal Tree or a different row in the Records table to update the Details panel with that item's metadata.

Last updated 6 days ago

Was this helpful?

hashtagStarting an Investigation

hashtagRecords Panel

hashtagHosts and Time Range

hashtagData Layers

hashtagRecord Type Tabs

hashtagAdding Records to the Causal Tree

hashtagCausal Tree

hashtagNode Types

hashtagMode Toggle

hashtagToolbar

hashtagNode Navigation

hashtagInteracting with Nodes

hashtagDetails Panel