Managing nodes and relationships

Adding nodes to a graph

These are the following ways to add nodes to a graph:

• Adding nodes of the type Indicator or Detection when creating a graph from the Indicator or Detection pages. For more information, see section "Managing graphs".
• Adding nodes of types Standard CyberTrace indicator and External indicator (observable) to an existing graph manually with the Add node () button.
• Adding nodes of types Standard CyberTrace Indicator and External indicator (observable) to an existing graph from a file with the Add node () button.
• Adding nodes to an existing graph by using transformations. For more information, see sections "About transformations" and "Performing transformations".

To add a node to an existing graph manually:

1. Open the graph.
2. Click the Add node () button in the sidebar.
3. In the dialog that opens, specify the value of an indicator that you want to add. For example, an MD5 hash of a file or a URL.

   If the Kaspersky CyberTrace database contains information about the specified value, Kaspersky CyberTrace prompts you to choose whether you want to add this value from the database as a standard CyberTrace indicator or if you want to add an external indicator (observable).

   If there is no information about the specified value in the Kaspersky CyberTrace database, you can only add an external indicator (observable).

   You also can specify multiple values, one by one.

4. Click Create nodes.

   The newly added nodes appear on the graph.

   If the node already exists on the graph:

   • The CyberTrace indicator will be updated from the database.
   • The External indicator (observable) will remain on the graph and no new nodes will be added.

To add a node to an existing graph from a file:

1. Open the graph.
2. Click the Add node () button in the sidebar.

   The Add indicators to the graph dialog box opens.

3. Select the From files tab.
4. Do one of the following:
   • Drag the file(s) required to the dialog box area.
   • Click Browse to select the file(s) required from a folder.

   You can add only text files encoded in UTF-8 (each file up to 128 KB in size).

   You can remove a file before adding.

5. Click Create node(s).

   The newly added nodes appear on the graph.

   If the node already exists on the graph:

   • The CyberTrace indicator will be updated from the database.
   • The External indicator (observable) will remain on the graph, no new nodes will be added.

   Before you create nodes, the number of valid lines (indicators) to be added to the graph will be displayed in the dialog box area (this number will be displayed for each file added).

   If at least one of the files is not valid, remove it. Otherwise, the other selected files (even if valid) will not be added.

Viewing information about nodes

You can view detailed information about the following types of nodes:

• Standard CyberTrace indicator:
  • Indicator type and value.
  • Link to the indicator page in Kaspersky CyberTrace Web.
  • Date and time when the indicator was added to a graph.
  • Date and time of the first and the last detection.
  • Indicator sources.
  • Indicator context.
• External indicator (observable):
  • Indicator type and value.
  • Link to an external indicator source, if it exists.
  • Date and time when the indicator was added to a graph.
  • Indicator attributes, if they exist.
• Detection:
  • Date and time of the detection.
  • Date and time when the detection was added to a graph.
  • Detection category.
  • The name of the tenant, within which the detection was received if there are tenants other than General.
  • The name of the event source.
  • Incoming event.
  • The parts of the incoming event (in key-value format) that were obtained from the regular expressions applied to the incoming event, and the names of those regular expressions.
  • Events that include the detection.
  • The parts of the detection event (in key-value format) that correspond to the detected indicator context.
  • Standard CyberTrace indicator that triggered the detection.
• Report:
  • Date and time when the report was added to a graph.
  • Report name.
  • Report vendor.
  • Report type, if it exists.
  • Link to the report, if it exists.

To view the detailed information about a node,

Double-click the node that you are interested in.

A side panel opens on the right, containing detailed information about the node.

To view information about nodes in a group, use the Group panel (see section "Node groups").

Creating relationships by connecting nodes

These are the following ways to create a relationship:

• Connecting nodes manually in the linking mode.
• Creating relationships automatically by using transformations. For more information, see sections "About transformations" and "Performing transformations".

To connect nodes manually:

1. Open a graph.
2. Turn on the linking mode by clicking the Linking mode () button in the sidebar.
3. Click the node that you want to connect to another node.

   The connecting line appears on the graph, leading from the initial node to the node that you select next.

4. Click the next node to create a relationship.

After you have finished connecting the nodes, turn off the linking mode.

Deleting nodes

To delete a node:

1. Click the node that you want to delete.
2. Click the Delete () button in the sidebar or press the DEL key on the keyboard.

When you delete nodes, keep in mind the following:

• If you delete the group node, all nodes in the group are deleted. Instead of deleting the group node, you may want to ungroup it or delete individual nodes in the group by using the group panel. For more information on working with node groups, see section "Node groups".
• If you delete the node that is connected to the Action or Detections node with a directed relationship, Kaspersky CyberTrace deletes both the initial node and the Action or Detections node. If there are other nodes that were related to the Action or Detections node with the undirected relationships, Kaspersky CyberTrace does not delete those other nodes.

Deleting relationships

When you delete a node, Kaspersky CyberTrace automatically deletes the relationships connecting this node with other nodes on a graph. You can also delete relationships manually without deleting the related nodes.

To delete a relationship:

1. Right-click the relationship.
2. Click Remove link.

Page top