Using the Storyline process graph https://community.sentinelone.
com/s/article/000006310
Home (/s/) Knowledge Base (/s/knowledge-base) Support Groups (/s/group/CollaborationGroup/00Bw0000006x�JEAQ)
SEARCH SENTINELONE
Search...
All Categories (/s/knowledge-base)
Getting Started
> Singularity Endpoint Security (/s/topic/0TOTc0000000NHZOA2)
Release Notes & Requirements > Event Collection And Analysis (/s/topic/0TOUW0000005wUn4AI)
> Using the Storyline process graph (/s/article/000006310)
Setting Up The Management Console
Working With The Management Console Article Detail (?tabse… Attachments (?tabset…
Working With The Agent
Singularity Endpoint Security Using the Storyline process graph
Policies & Modules Last Updated: Jan 22, 2025
Event Collection And Analysis
Threat Detection
Objective: Optimize threat investigations and proactive threat hunting
with the Storyline process graph.
Reports
Legacy Deep Visibility
Storyline™ is a sequence of related processes and events that are
correlated intelligently by the SentinelOne Agent. Each Storyline™ has a
Singularity Mobile Security
unique ID that shows in Event Search results and in threat or alerts
Uni�ed EDR And Identity Security details, and can be used to �nd related events in the Storyline™.
Singularity Exposure Management The details of the Storyline™ also show graphically in the Storyline™
process graph.
Singularity Cloud Security
The process graph has these sections: A graph of the process Storyline™
Singularity Data Lake (SDL) or OS View, a card with details about the selected process on the graph,
layer selection for the graph, a timeline of the Storyline™, and process-
Purple AI related events and behavioral indicators.
In the Singularity™ Operations Center, this is called the Storyline™
Singularity Identity Security
Report from version S-24.3.5.
Singularity Threat Services
Singularity Marketplace
Singularity Hyperautomation
Support & Professional Services
1 of 10 7/23/25, 21:36
�Using the Storyline process graph https://community.sentinelone.com/s/article/000006310
Getting Started
Release Notes & Requirements
Setting Up The Management Console
Working With The Management Console
Working With The Agent
Singularity Endpoint Security
Policies & Modules
Event Collection And Analysis
Threat Detection
Reports • Process Graph (1) - A visual representation of the primary
process connections to other processes, either from the
Legacy Deep Visibility
perspective of the Storyline™, the OS, or both. This includes
Singularity Mobile Security
special connections between different processes on the graph,
Uni�ed EDR And Identity Security like cross-process activity. Use the layers to select the
information that shows and click the plus signs to see more
Singularity Exposure Management
parents and children.
Singularity Cloud Security
• Process Card/ Layers (2) - Switch between a process card that
Singularity Data Lake (SDL) shows details for the selected node and layer selection for the
graph.
Purple AI
Singularity Identity Security
Singularity Threat Services
Singularity Marketplace • Timeline (3) - Shows events related to the Storyline™ of the
primary node, organized by time.
Singularity Hyperautomation
• Event Count and Event Table (4) - Shows a detailed list of the
Support & Professional Services
events that the primary node caused. In Event Count, the
information is organized by the event type with the count of each
type. In Event Table, see the events in the table format of the
Deep Visibility™ query results, with all Actions, Export, and table
options from Deep Visibility™ available.
• Indicators (5) - Shows the behavioral indicators related to the
primary node, with a link to the MITRE technique.
To open the Storyline™ Report:
• In the query results, if a process has a graph available, the name
of the process shows with a hyperlink. Click a link to open the
Process Graph in a new tab.
Using the Process Graph
In the graph, open and close nodes, select the view, add layers, hover or
click a node for counts and details, zoom in and out, and send the graph
2 of 10 7/23/25, 21:36
�Using the Storyline process graph https://community.sentinelone.com/s/article/000006310
to others to accelerate your threat investigation and threat hunting.
Each node represents a process. The primary node is the process you
clicked on to open the graph. The selected node gets a purple border
when you click on it.
• Open the legend to better understand the graph.
• See the process name and icons that represent which activities
the process did. Hover over the icons to see the counts of events.
• Click the plus sign on the right to open the children of a node, and
the plus sign on the left to open its parents.
• Select Full Graph, Storyline View, or OS View to see the chain of
events based on the Storyline™, based on what the endpoint OS
reports, or both.
See Storyline Source vs. OS Source in Deep Visibility™ (https://
community.sentinelone.com/s/article/000006217) for more
information.
• Open the Layers and select options to re�ne what you see in the
3 of 10 7/23/25, 21:36
�Using the Storyline process graph https://community.sentinelone.com/s/article/000006310
graph:
◦ Select Cross Process to see when a process injects or
otherwise interacts with a different process. Cross process
activity traces threat execution from its original source to
actions that seem to come from legitimate processes. It
gives more context around processes and their
connections.
◦ In Behavioral Indicator Categories, select which
behavioral indicators to show in the graph. Click Select All
to show all of them.
◦ Click Restore to default to go back to the original graph,
with no cross process activity or behavioral indicators
shown. Click Clear to remove the Behavioral Indicator
selections.
• Cross-process activity shows as an arrow. The number next to the
arrow is the number of different types of cross process activity
between the nodes. Hover over the number to see the types.
Storyline connections show in the graph with a straight line. OS
connections show with dotted lines. When you select Behavioral
Indicators in the Layers, they show on the node where they
occurred as . Hover over a behavioral indicator or node to
4 of 10 7/23/25, 21:36
�Using the Storyline process graph https://community.sentinelone.com/s/article/000006310
see details.
• When a link icon shows, it means the connection is based on the
SentinelOne Storyline™ and it is different than the connection
reported by the endpoint OS.
Tip: In some scenarios, the SentinelOne Storyline™ connection is
because of cross-process activity. If you select Cross Process in
the Layers, you can see activity between processes that gives
more context around processes and their connections.
For example, in the graph below, when Cross Process is selected,
we see two events of cross process activity sent by
radDB8D5.tmp.exe to OneDrive.exe . This means that
activity from OneDrive.exe to cmd,exe , was caused by
radDB8D5.tmp.exe , which sent commands to
OneDrive.exe .
Without Cross Process With Cross Process selected
• When you click a node, see detailed information about the
process itself and a detailed count of its activities.
To pivot to a graph for the selected node, click the process name.
A new graph opens for the process in a new browser tab.
5 of 10 7/23/25, 21:36
�Using the Storyline process graph https://community.sentinelone.com/s/article/000006310
• Processes that have the same parent and name, and do not have
their own children, are combined as one aggregated node for
clearer visibility. You can click the plus sign to show each process
individually (ten items open for each click).
If the aggregated process is malicious, it shows in red.
• To change your view of the graph:
◦ Drag the graph to a different part of your screen. For
example, drag it up to see the bottom of the graph.
◦ Change the graph size.
◦ Open the graph in Full Screen mode.
• To share the graph:
◦ Export - Get the graph as a PNG �le.
◦ Share - Get a URL to send to other users who have
permission to see it.
6 of 10 7/23/25, 21:36
�Using the Storyline process graph https://community.sentinelone.com/s/article/000006310
Using the Timeline
The timeline shows events related to the primary process and its
Storyline™, organized by time. When you select a node in the process
graph, the process creation event of that node is highlighted in the
timeline. The timeline does not use the selected process graph layers.
• Click a point in the timeline to see aggregated events for that
time.
• Open the legend in the timeline to see how events are shown.
Behavioral indicators, cross-process events, and threat
intelligence events are all included in the timeline.
• As in the process graph, red nodes are malicious and the primary
node that was selected originally is purple.
• To expand a speci�c time period in the timeline, click in the
timeline and a cross pointer shows. Drag it over the time period in
the timeline. The timeline will update to show only that time
period.
• Click the calendar next to the legend to open a calendar. Select a
date, enter the exact time, and click Apply.
7 of 10 7/23/25, 21:36
�Using the Storyline process graph https://community.sentinelone.com/s/article/000006310
• To go back to the �rst timeline on the process graph, click Reset
Timeline Zoom. Reset Timeline Zoom only shows if you changed
the timeline.
Using the Event Count and Event Table
In Event Count, see a detailed list of the events that the selected node
caused. The information is organized by the event type, with the count
of each type.
• Click the event type to open the list of distinct �les or activities.
• Click Open in Deep Visibility™ to open a query for the process
and event type in a new browser tab. This same view with the
same actions available is in the Event Table, but is smaller there.
• You can search in the distinct values.
8 of 10 7/23/25, 21:36
�Using the Storyline process graph https://community.sentinelone.com/s/article/000006310
In Event Table, see a detailed list of the events that the selected node
caused in the format of the Deep Visibility™ query results.
• Use the tabs to select All Events or a speci�c event type.
• Expand the rows.
• Select an event and run Actions on it: Fetch Logs, Disconnect
from Network, Mark as Threat, Mark as Suspicious, Add to
Blocklist, and Run Script (when RSO is available in the Console).
• Click Export to export the data to a CSV �le.
• Click a detail to pivot on it and open a new query in a new
browser tab.
Was this ar�cle helpful? Yes No
Related Articles
Storyline in Deep Visibility
(/s/article/000006216)
Hunter Chrome extension for Deep Visibility™
(/s/article/000006296)
9 of 10 7/23/25, 21:36
�Using the Storyline process graph https://community.sentinelone.com/s/article/000006310
How to Run sentinelctl management type on Linux
(/s/article/000005569)
Deep Visibility settings panel
(/s/article/000006299)
Supported file types for Event Collection
(/s/article/000006220)
(https://twitter.com/SentinelOne) (https:// 444 Castro Street Suite 400 Mountain View, CA 94041
www.linkedin.com/company/sentinelone/) (https:// +1-855-868-3733
www.facebook.com/SentinelOne/) (https://www.youtube.com/ [email protected] (mailto:[email protected])
c/Sentinelone-inc)
©2025 SentinelOne, Con�dential and All Rights Reserved
Privacy Policy (https://www.sentinelone.com/legal/privacy-policy/)
Support Terms (https://www.sentinelone.com/legal/support-terms/)
Customer Community Terms of Use (https://www.sentinelone.com/
legal/customer-community-terms-of-use/)
10 of 10 7/23/25, 21:36
