The Behavioral Analysis section consists of hashes, paths and network ports. As discussed above, every process running on an endpoint is part of a family tree, but every process also exhibits other attributes and behaviors, such as the hash of the file that executed, the path it ran from, network connections it made, files it wrote, etc. The attributes and behaviors in this section provide even more context to an analyst to compare and contrast a detection under investigation with our endpoint insights collected in the wild. For example, an analyst investigating an unknown executable in their environment might find in EchoTrail that that file executes from a given path 100% of the time in the wild, but they see that it ran from a different path in their environment. This is a red flag for the analyst and will give them good reason to investigate further. Conversely, if the path and other attributes and behaviors are consistent across their environment and the wild, then they can more quickly make a decision to move on to the next alert.