Nodes and relationships

Each graph consists of nodes (indicators, detections, and others), and relationships connecting the nodes. Both nodes and relationships can be added to a graph manually or as a result of transformation.

Nodes

A node is a single point on a graph that is linked to other points. There are different types of nodes, such as indicators, detections, or groups. Nodes of different types are displayed on the graph with different symbols. See the description of the different node types in the table below.

Node types

Icon

Type

Description

URL node

URL

Standard CyberTrace indicators.

 

Hash node

Hash

IP node

IP

External URL node

External URL

External indicator (observable) received from a source other than the Kaspersky CyberTrace database.

A graph can contain an external indicator and a standard CyberTrace indicator that have the same value.

External hash node

External Hash

External IP node

External IP

Action / Detections node

Action/Detections

An intermediate node between other nodes. This intermediate node appears as the result of a transformation.

Detection node

Detection

Detection event.

Report node

Report

Report that contains information about the related indicator.

Group node

Group

Several nodes grouped together.

Relationships

Nodes are connected to each other with relationships. Relationships can be directed or undirected.

A directed relationship can lead only to nodes of the types Action and Detections. This kind of relationship appears when Kaspersky CyberTrace performs transformation and a new relationship leads from the initial node to the node added after the transformation.

For example, if a user launches a transformation in order to find detections related to an indicator, a directed relationship may appear leading from the indicator to a node of type Detections. In turn, the undirected relationships will connect the new Detections node with nodes of type Detection.

In most cases, the undirected relationship connects two nodes that have something in common.

For example, a dangerous file can have different hashes (MD5, SHA-1, and SHA-256), and each of them is a separate indicator of threat. All these nodes can be connected with undirected relationships.

You can create undirected relationships manually, whereas directed relationships can only be the result of transformation.

Page top