Managing nodes and relationships

To manage nodes and relationships of a graph,

On the Research graphs page, open the graph by clicking its tile.

To access this page, you need to switch to the Data management mode.

Adding nodes to a graph

You can add nodes to a graph in the following ways:

Adding nodes of the type Indicator or Detection when creating a graph from the Indicators or Detections page, respectively.
Adding nodes of types Standard Kaspersky CyberTrace indicator and External indicator (observable) to an existing graph manually or from files.
Adding nodes to an existing graph by using transformations.

To add a node to an existing graph manually:

Click the (Add indicators) button in the sidebar.
In the Add indicators to the graph dialog box that opens, specify the value of an indicator that you want to add. For example, an MD5 hash of a file or a URL.
If the Kaspersky CyberTrace database contains information about the specified value, Kaspersky CyberTrace prompts you to choose whether you want to add this value from the database as a standard Kaspersky CyberTrace indicator or if you want to add an external indicator (observable).

If there is no information about the specified value in the Kaspersky CyberTrace database, you can only add an external indicator (observable).

You also can specify multiple values, one by one.
Click the Create nodes button.

The newly added nodes appear on the graph.

If a node already exists on the graph:

A Kaspersky CyberTrace indicator will be updated from the database.
An External indicator (observable) will remain on the graph, no new nodes will be added.

To add a node to an existing graph from a file:

Click the (Add indicators) button in the sidebar.
In the Add indicators to the graph dialog box that opens, click the From files tab.
Do one of the following:
- Drag the required file(s) to the dialog box area.
- Click the Add files button to select the required file(s) from a folder.
You can add only text files encoded in UTF-8 without BOM (each file up to 128 KB in size).

You can remove a file before adding.
Click the Create nodes button.

The newly added nodes appear on the graph.

If a node already exists on the graph:

A Kaspersky CyberTrace indicator will be updated from the database.
An External indicator (observable) will remain on the graph, no new nodes will be added.

Viewing information about nodes

You can view detailed information about the following types of nodes:

Standard Kaspersky CyberTrace indicator:
- Indicator type and value.
- Link to the indicator page in Kaspersky CyberTrace Web.
- Date and time when the indicator was added to a graph.
- Date and time of the first and the last detection.
- Indicator sources.
- Indicator context.
- Whether the indicator has been marked as a false positive.
External indicator (observable):
- Indicator type and value.
- Link to an external indicator source, if it exists.
- Date and time when the indicator was added to a graph.
- Indicator attributes, if they exist.
Detection:
- Date and time of the detection.
- Date and time when the detection was added to a graph.
- Detection category.
- The name of the tenant, within which the detection was received if there are tenants other than General.
- The name of the event source.
- Incoming event.
- The parts of the incoming event (in key-value format) that were obtained from the regular expressions applied to the incoming event, and the names of those regular expressions.
- Events that include the detection.
- The parts of the detection alert (in key-value format) that correspond to the detected indicator context.
- Standard Kaspersky CyberTrace indicator that triggered the detection.
Report:
- Date and time when the report was added to a graph.
- Report name.
- Report vendor.
- Report type, if it exists.
- Link to the report, if it exists.

To view the detailed information about a node:

Right-click the node that you are interested in.
On the context menu, click Show details.

A side panel opens on the right, containing detailed information about the node.

You can also view information about nodes in a group.

Creating relationships by connecting nodes

You can create a relationship between nodes in the following ways:

Connecting nodes manually in the linking mode.
Creating relationships automatically by using transformations.

To connect nodes manually:

Turn on the linking mode by clicking the (Linking mode) button in the sidebar.
Click the node that you want to connect to another node.
The connecting line appears on the graph, leading from the initial node to the node that you select next.
Click the next node to create a relationship.

After you have finished connecting the nodes, turn off the linking mode.

Deleting nodes

To delete a node:

Click the node that you want to delete.
Click the (Delete nodes) button in the sidebar or press the DEL key on the keyboard.
As an alternative, you can right-click the required node, and then click Delete node on the context menu.
In the confirmation window that opens, click the Delete button to confirm the node deletion.

When you delete nodes, keep in mind the following:

If you delete a group node, all nodes in the group are deleted. Instead of deleting the group node, you may want to ungroup it or delete individual nodes in the group.
If you delete a node that is connected to an Action or Detections node with a directed relationship, Kaspersky CyberTrace deletes both the initial node and the Action or Detections node. If there are other nodes that were related to the Action or Detections node with the undirected relationships, Kaspersky CyberTrace does not delete those other nodes.

Deleting relationships

When you delete a node, Kaspersky CyberTrace automatically deletes the relationships connecting this node with other nodes on a graph. You can also delete relationships manually without deleting the related nodes.

To delete a relationship:

Right-click the relationship.
On the context menu, click Remove link.

Page top