Telemetry-Driven Graph Enrichment
Turn flowing telemetry into actionable intelligence: session history, privilege analysis, behavioral context, and real-time Tier 0 credential exposure.
Requires role: Operator (viewing enrichment data), Admin (configuration)
Related: Telemetry Pipeline, ITDR Detection, Risk Posture Dashboard, Multi-Agent Intelligence
Overview
Once telemetry is flowing from your domain controllers (see Telemetry Pipeline for setup), the platform enriches the identity graph with intelligence drawn from authentication events. Enrichment answers questions that directory data alone cannot: which accounts are behaving unusually, which Tier 0 credentials are actively at risk, and which permissions have never been used.
Enrichment capabilities are organized across several dedicated pages and panels:
| Capability | Where to find it |
|---|---|
| Full identity investigation — timeline, behavioral profile, session history, investigation charts | Identity Investigation Timeline |
| Tier 0 credential exposure tracking — active sessions co-located with credential-theft privileges | Tier 0 Exposure |
| Session connections and privilege connections in the graph | Graph Explorer — Session and Privilege Connections |
| Detection alerts — brute force, password spray, Kerberoasting, DCSync, and more | ITDR Detection |
| Telemetry pipeline setup, audit policy, OTel Collector configuration | Telemetry Pipeline |
Behavioral Context
After each full sync, the platform analyzes the last 30 days of telemetry events for every identity with at least 5 events and computes a behavioral profile. This profile is displayed on the Identity Investigation Timeline as the Behavioral Summary Card and is used by the Graphne agent to answer behavioral questions.
Each identity's behavioral profile includes typical active hours (0–23), top hosts, typical authentication protocols, 30-day event count, and an anomaly score (0.0–1.0).
The Graphne agent can surface behavioral context in natural language. From the Graphne panel (navigate to Graphne in the sidebar):
- "Which service accounts logged in interactively this month?"
- "Are there any identities using plaintext authentication?"
- "What is the behavioral risk profile for [email protected]?"
- "Which identities have anomaly scores above 0.5?"
Behavioral profiles are updated during the post-sync analytics pipeline after a full sync only. Delta syncs do not trigger behavioral recomputation.
Failed Authentication Tracking
Every failed logon event (Windows Event 4625) updates the targeted identity's node properties with a rolling 30-day count. This information appears directly in identity detail panels without requiring a separate query or alert.
Properties updated on the identity node:
| Property | Description |
|---|---|
failedAuthCount | Rolling 30-day count of failed authentication attempts |
failedAuthSources | Count of distinct source hosts that generated failures |
lastFailedAuth | Timestamp of the most recent failure |
Investigative use cases:
- Targeted attack: High
failedAuthCountfrom a single source host — likely a targeted password attack against this account - Password spray: High failure count from many distinct source hosts — consistent with distributed spray activity
- Account lockout investigation: The source host list identifies which machine or application is generating the failures
Failed authentication properties update in real time as events arrive — they do not wait for the post-sync pipeline. An account under active attack shows an increasing count within seconds of events being ingested.