Document toolboxDocument toolbox

Creating a graph diagram

Owned by Juan Tomás Alonso Nieto (Deactivated)
Last updated: Jul 20, 2023 by Borja Moro Moreno
6 min read
[ 1 Overview ] [ 2 How to create a graph diagram ] [ 3 Example ]

After querying the necessary data in the search window, click the gear icon on the toolbar and select Charts → Diagrams → Graph diagram to start building your graph. 

Overview

During the creation process of the graph, each field you add to the workspace (that is, every group of nodes in the final graph) is represented as an object defined by 3 factors: typename and attributes.

By default, each field you add to the workspace is assigned a different type, which is a set of settings that affect all the corresponding nodes in the graph. You can group fields containing the same kind of information under the same type and apply the same settings to their values. To do it, select the type icon of a field and drag it to the new type you want it to be under.

See below how we group the srcpIp and dstIp fields under the same type (type-1). To unassign a type from a node, select the corresponding link and hit the Delete key.

To access the type settings, click the required type icon. You will see the options described in the following table:

Icon

Select an icon to represent the values belonging to the type field(s) in the graph.

Color by

Choose the metric you want to use to assign a color to each of the field values.

  • Type/Attribute - Apply the color selected in the Default Color setting to all the nodes, or use the values in the field added to the Color attribute as a metric. Learn more about this attribute below.

  • Size - Colors will be applied according to the size of the nodes. Choose the base color in the Default Color setting.

  • Degree - Colors will be applied according to the number of connections a node has with other nodes. Choose the base color in the Default Color setting.

Default color

Select the color for your nodes if you select Type/Attribute in the Color by setting. Besides, this color will serve as a base for the Size and Degree options.

Palette

Choose the color scale to be used for the Size and Degree options. The available options are Standard (8 colors), Pastel (24 colors) and Monochrome (10 colors).

This is the name of the group of nodes, which corresponds to the name of the field. In the graph, this name will appear when you hover over a node, next to the assigned type.

Each node – that is, each distinct value of the fields added – will show their corresponding names in the graph. However, you can add them labels with names of other corresponding field values using the label attribute. See how to do it below.

These are optional attributes that you can assign to each field. Drag a field to the corresponding attribute icons to use its values as labels, positions or colors.

Label

The value names of the field you add here will be shown as labels of the nodes.

Each node will display the name of the corresponding value in the label field. In case a node has more than one associated values in the label field, only the first one will be displayed in the label, and the rest will be shown when you hover over the node.

Position

field values can be represented on a map if you drag a field containing geocoordinates to this field. You must activate the Map mode option in the graph to display the world map and geolocate your nodes. Learn more in the Working in the graph diagram article.

Color

Drag the field header whose values will dictate the color of the nodes. The field must contain discrete values. If the values are string type, each distinct value will be displayed in a different color. If the values are integer or float type, a dark to light monochrome color palette is used for the minimum to maximum values.

Enabling color

You must select Type/Attribute in the Color by field of the corresponding type to apply this attribute.

How to create a graph diagram

Example

In the following example, we will create a graph diagram using the data from the following query:

from netstat.netflow.lt   select mmcoordinates(srcIp) as srcPos,     mmcoordinates(dstIp) as dstPos,     mmcountry(srcIp) as srcCountry,     mmcountry(dstIp) as dstCountry   group every 5m by srcIp, dstIp, srcPos, dstPos, srcCountry, dstCountry   every 5m   select count() as count
1

Go to Data Search → Free Text Query, paste the query script in the text field and select Run.

2

Select Additional tools → Charts → Diagrams → Graph diagram from the query toolbar.

3

Drag and drop the fields onto the chart canvas as shown in the picture below:

  • Nodes → srcIp and dstIp

  • Geolocation → srcPos and dstPos (each onto the corresponding node)

  • Color → srcCountry and dstCountry (each onto the corresponding node)

  • Link relationship → count

4

Click Apply to generate the graph diagram. Finally, toggle on the Map mode option to geolocate the IP addresses on the world map. Note that nodes with null geolocations will be located on the Atlantic Ocean.

For a use case on how to build a graph diagram to detect and analyze accesses to malicious sites, see the Monitor intranet traffic to dangerous websites use case.