Recommendation 1: watch the video below.




Recommendation 2: do our getting started tutorial. It also contains the graph part and explains things in good detail.


Need more? Continue below.


The Siren Investigate graph browser displays Elasticsearch documents (or Entity Identifiers, e.g. IP addresses or other as specified in the datamodel) as nodes, and Siren Investigate relations as links of a graph.


The graph browser is a panel like others (e.g. like pie charts) that you can add to dashboards (for more information, refer to the Creating dashboards quick start guide).


If you want a dashboard with only a graph browser

  1. In the Dashboards sidebar, click Create new dashboard (fa-bar-chart-mix.png).

  2. Click Add then click Graph Browser and drag the lower right corner of the tile to fill the view.

  3. Click Add all available lens and contextual scripts.

  4. Click the Play icon (fa-play.png) at top left of the screen.

  5. Click Save, and name it General Graph Browser. Then click Save and Add to Dashboard.

Save your changes

When you have finished with the graph browser you can click Save to save the dashboard for future use.

Note

You must save the dashboard before you use it.


How to add your data:

The graph browser works by PULLING data from dashboards which have a Saved Search set (these are the dashboards that have a number on them). The graph browser also has limitations on the amount of nodes that can visualize. By default it will pull in the first 500 nodes from the dashboard you select (this can be changed). This means that typically you first filter the dashboard you want to get the data from to the elements you want to see (typically 500 or less) and then add them to the graph browser.

Pulling data from dashboards into the graph

  1. Open the Graph Dashboard.

  2. In the Graph Browser tile, click +Add and select a dashboard from the Add from another dashboard list. You can repeat this step to add data from other dashboards.

Navigate the graph

The number of connections to each node is shown. You can double click a node to drill down into the data.

To move in or out of the graph, use the mouse scroll wheel or the slider at the top left of the graph browser window.

Click the icon above the slider to toggle between select and panning mode. In select mode you can select nodes by dragging. In panning mode, clicking and dragging enables you to move the nodes around in the window. You can also pan by using the direction icons above the slider.

If you open a large node you will be prompted to confirm that you want to open all of the child nodes or only a selection of them.

You can click standard or hierarchy to arrange the nodes.

You can apply filters from existing dashboards by clicking the Expand drop down and selecting the required dashboards.

To expand a node or set of nodes, select the required nodes and click Expand. You can also select one or more nodes, right click and select Expand by relation from the context menu.

You can click Toggle map mode or Toggle timeline mode to change how the data is displayed.

You can click Toggle relation direction to change which relationships are displayed.

You can click Toggle node highlight to toggle dimming of nodes that are not selected.

Select nodes

Right click anywhere on the graph to display the context menu. From here you can choose:

  • Select - By Edge Count

  • Replace Investment with edge (works only with Siren Investigate Demo data).

  • Shortest Path

  • Select - All

  • Expand by top comention

  • Select - Invert

  • Select - Extend

  • Select - By Type

  • Show nodes count by type

  • Select - By Entity

  • Expand by relation

You can press Del to remove selected nodes from the graph.

You can click Crop to remove all but the selected nodes from the graph.

You can click the Undo or Redo icons to step backward of forward through your changes.

Use lenses and selection

Click the Toggle Sidebar to display the Lenses and Selection tabs.

The Lenses tab enables you apply visual filters to the data displayed in the graph.

  1. From the Lenses tab, select Add a lens > Advanced >Advanced lens.

  2. Enter a unique Lens name.

  3. Select the Active check box to enable the lens. When the Live update check box is selected, changes you make to the lens are shown immediately in the graph browser. If the check box is cleared you can click the Apply lens parameters icon to update the graph browser.

  4. In the Parameters section, select an Entity Type.

  5. Select a match condition:

    • Always.

    • Only for the selected elements.

    • Only if the condition is true.

    If you selected Only if the condition is true, enter a condition in the box.

  6. Select the property to set fro the list:

    • Color (string)

    • Node font icon (string)

    • Node glyphs (array of glyphs)

    • Hidden (Boolean)

    • Label (string)

    • Location (string)

    • Node image (string)

    • Size (number)

    • Time (string)

    • Tooltip (string)

  7. Enter the property in the box then click OK. For example, using the Companies data set select Color, then select SICCode.SicText_1.

The Selection tab displays a list of the currently selected nodes.

Enter a string in the search box to show results from all the matching records in the current selection.

The first column on the left enables you to select or deselect individual nodes. You can click the column head to select or deselect all nodes.

For each field, you can enter a string to match from the selection in the box under the column heading.

You can click Reset column and global filters (fa-filter-mod.png) to reset all filters.