Document toolboxDocument toolbox

Creating a graph diagram

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 08, 2023
7 min read
[ 1 Overview ] [ 2 How to create a graph diagram ] [ 3 Example ]

After querying the necessary data in the search window, click the gear icon on the toolbar and select Charts → Diagrams → Graph diagram to start building your graph. 

Overview

During the creation process of the graph, each column you add to the workspace (that is, every group of nodes in the final graph) is represented as an object defined by 3 factors: typename and attributes.

By default, each column you add to the workspace is assigned a different type, which is a set of settings that affect all the corresponding nodes in the graph. You can group columns containing the same kind of information under the same type and apply the same settings to their values. To do it, select the type icon of a column and drag it to the new type you want it to be under.

See below how we group the srcpIp and dstIp columns under the same type (type-1). To unassign a type from a node, select the corresponding link and hit the Delete key.

To access the type settings, click the required type icon. You will see the options described in the following table:

Icon

Select an icon to represent the values belonging to the type column(s) in the graph.

Color by

Choose the metric you want to use to assign a color to each of the column values.

  • Type/Attribute - Apply the color selected in the Default Color setting to all the nodes, or use the values in the column added to the Color attribute as a metric. Learn more about this attribute below.

  • Size - Colors will be applied according to the size of the nodes. Choose the base color in the Default Color setting.

  • Degree - Colors will be applied according to the number of connections a node has with other nodes. Choose the base color in the Default Color setting.

Default color

Select the color for your nodes if you select Type/Attribute in the Color by setting. Besides, this color will serve as a base for the Size and Degree options.

Palette

Choose the color scale to be used for the Size and Degree options. The available options are Standard (8 colors), Pastel (24 colors) and Monochrome (10 colors).

This is the name of the group of nodes, which corresponds to the name of the column. In the graph, this name will appear when you hover over a node, next to the assigned type.

Each node – that is, each distinct value of the columns added – will show their corresponding names in the graph. However, you can add them labels with names of other corresponding column values using the label attribute. See how to do it below.

These are optional attributes that you can assign to each column. Drag a column to the corresponding attribute icons to use its values as labels, positions or colors.

Label

The value names of the column you add here will be shown as labels of the nodes.

Each node will display the name of the corresponding value in the label column. In case a node has more than one associated values in the label column, only the first one will be displayed in the label, and the rest will be shown when you hover over the node.

Position

Column values can be represented on a map if you drag a column containing geocoordinates to this field. You must activate the Map mode option in the graph to display the world map and geolocate your nodes. Learn more in the Working in the graph diagram article.

Color

Drag the column header whose values will dictate the color of the nodes. The column must contain discrete values. If the values are string type, each distinct value will be displayed in a different color. If the values are integer or float type, a dark to light monochrome color palette is used for the minimum to maximum values.

Enabling color

You must select Type/Attribute in the Color by field of the corresponding type to apply this attribute.

How to create a graph diagram

Example

In the following example, we will create a graph diagram using the data from the following query:

from netstat.netflow.lt   select mmcoordinates(srcIp) as srcPos,     mmcoordinates(dstIp) as dstPos,     mmcountry(srcIp) as srcCountry,     mmcountry(dstIp) as dstCountry   group every 5m by srcIp, dstIp, srcPos, dstPos, srcCountry, dstCountry   every 5m   select count() as count
1

Go to Data Search → Free Text Query, paste the query script in the text field and select Run.

2

Select Additional tools → Charts → Diagrams → Graph diagram from the query toolbar.

3

Select the srcIp and dstIp columns and drag them to the workspace. Both columns will be automatically linked.

4

Click and drag the column header whose column values will define the relationship between the nodes. In this example, this is the count column.

5

Now we will add the srcPos and dstPos columns in our query to geolocate our IP addresses on a map. Drag them to the position attribute of the corresponding column (srcPos → srcIp / dstPos → dstIp).

6

Drag the srcCountry and dstCountry columns to the color attribute of the corresponding column, which contain the discrete values that will color-code the nodes of the columns added (srcCountry → srcIp / dstCountry → dstIp).

7

Click Apply to generate the graph diagram. Finally, toggle on the Map mode option to geolocate the IP addresses on the world map. Note that nodes with null geolocations will be located on the Atlantic Ocean.

For a use case on how to build a graph diagram to detect and analyze accesses to malicious sites, see the Monitor intranet traffic to dangerous websites use case.