Working with Actions on the Investigation Canvas

  • Release version: Washingtondc
  • Updated November 5, 2024
  • 6 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Working with Actions on the Investigation Canvas Threat Analyst Workbench

    This guide provides detailed actions you can perform on the investigation canvas within the ServiceNow Threat Analyst Workbench. Understanding these actions enhances your ability to conduct thorough investigations and effectively manage data visualizations related to threats.

    Show full answer Show less

    Key Features

    • Form Actions:
      • Link Case: Connect a case to the canvas.
      • Unlink Case: Disconnect a case from the canvas.
      • Save: Save changes made to the case record.
      • Duplicate: Create copies of nodes.
      • Delete: Remove the canvas.
    • Graph Actions:
      • Find on Map: Search for nodes and edges.
      • Canvas Filter: Temporarily hide less relevant records to focus on critical entities.
      • Save Canvas: Save the current state of the canvas.
      • Add Data to Library: Save new relationships and nodes to the library.
      • Add From Library: Import data from the threat intelligence library.
      • Add From Case Artifacts: Include data from linked case artifacts.
    • Node Actions:
      • Mark as Home Node: Highlight a specific node for focused analysis.
      • Add Relationship: Create custom relationships between nodes.
      • Show Details: View detailed information about a node.
      • Open Record: Open the selected record in a new tab.
      • Remove from Canvas: Delete a node from the canvas.
      • Fetch Related Records: Add related records to the canvas.
    • Edge Actions:
      • Edit: Modify edge labels for clarity.
      • Remove: Delete the visual connection between nodes.
    • Toolbar Actions:
      • Zoom In/Out: Adjust the view of the canvas.
      • Fit to Screen: Resize the canvas to fit your display.
      • Export Map: Save the canvas as a PDF.
      • Refresh: Reload data from the library (unsaved changes will be lost).
      • Clear Canvas: Temporarily remove nodes from view.
      • Legend: Visual representation of nodes and entities.
    • Grouping and Ungrouping:
      • Group nodes to reduce clutter and simplify navigation during investigations.
      • Ungroup nodes to reveal hidden connections and details.

    Key Outcomes

    By utilizing these actions, you can streamline your investigative process, enhance data visibility, and improve your ability to analyze threat information effectively. Understanding and applying these features will lead to more organized and insightful investigations, enabling you to respond to threats with greater efficiency. Always remember to save your canvas to avoid losing changes before refreshing or clearing the view.

    This section describes the various actions that you can perform on the investigation canvas.

    Investigation canvas includes:
    1. Form actions
    2. Graph actions
    3. Node actions
    4. Edge actions
    5. Toolbar actions
    Figure 1. Investigation Canvas
    TISC Investigation canvas view.
    Table 1. Investigation canvas Form actions
    Action Operation
    Link Case Allows you to link case on the investigation canvas.
    Unlink Case Allows you to unlink the case on the investigation canvas.
    Save Option to save the case record.
    Duplicate Option to duplicate the nodes on the investigation canvas.
    Delete Option to delete the canvas.
    Table 2. Investigation canvas Graph actions
    Action Operation
    Find on map Allows you to search through different nodes and edges.
    Canvas Filter

    The Filter functionality helps you refine your view on the investigation canvas.

    For example, if you filter out a record type such as Campaign, it is temporarily removed from the canvas display.

    By applying filters, you can control which types of entities or records are shown on the map, enabling a cleaner and more focused investigation experience.
    Note:
    Use filters to highlight only the most relevant nodes such as observables or threat actors while temporarily hiding less critical information on the canvas.
    Save Canvas Allows you to save the investigation canvas.
    Add Data to Library This option allows you to establish a new relationship between two different nodes on the investigation canvas.

    All the changes made on the canvas including the new nodes, new links between nodes, and any edited or modified edge labels will be saved to the library.

    All nodes currently present on the canvas will be added as artifacts to the linked case.

    A confirmation message will be displayed once the data is successfully saved to the library.
    Add From Library This action will add the threat intelligence library data and also establish the relationship between the new node imported from the threat intelligence library and the existing nodes on the investigation canvas.
    Add From Case Artifacts Allows you to add data from corresponding case artifacts that is linked to the canvas.
    Table 3. Investigation Canvas Node actions
    Action Operation
    Mark as Home Node This option allows you to mark a specific node as the home node on the Investigation Canvas.

    When pivoting during analysis, the application automatically highlights and centers the home node, bringing it into focus at the center of the canvas.

    The focused node is visually emphasized through:
    • A distinct border
    • Highlighting
    • A subtle circular motion animation
    This makes it easier to identify and explore the canvas data related to the primary focus of your investigation.
    Add Relationship This option allows you to add custom relationships between nodes on the Investigation Canvas. You can define relationship types such as:
    • One-to-many
    • Many-to-one
    • Many-to-many
    This helps represent complex associations between entities.
    Show Details This option allows you to view detailed information about the selected node on the Investigation Canvas, including its attributes and any associated observables or relationships.
    Open Record This option allows you to open the selected record in a new browser tab for easier reference and multitasking.
    Remove from Canvas This option allows you to remove the selected node from the investigation canvas, effectively deleting it from the current view.
    Fetch Related Records This option allows you to fetch related records for a specific node and add them directly to the investigation canvas using the Select Entity Types dialogue box.

    Select Add All option to automatically includes all the object related record types into the given selection box.

    For example, if there are 5 to 10 different types of related records, you will have to manually select each object type. The Add All feature streamlines this process by populating all the relevant records at once, improving the user experience. After adding records, you can remove them or select the Expand option to view the related nodes.

    However to enhance the usability, you can now select Expand All to instantly expand all the related records linked to a node, instead of manually adding or expanding the records.

    Table 4. Investigation Canvas Edge actions
    Action Operation
    Edit This option allows you to edit and modify the label of an edge on the Investigation Canvas, enabling clearer representation of relationships between nodes.
    Remove This option allows you to remove an edge from the Investigation Canvas, effectively deleting the visual connection between two nodes.
    Table 5. Investigation Canvas Toolbar icons
    Action Operation
    Zoom in Option to zoom in the investigation canvas to easily focus on specific areas of the canvas.
    Zoom out Option to zoom out the investigation canvas to easily focus on specific areas of the canvas.
    Fit to screen Option to fit the investigation canvas to the screen size.
    Export map Option to export the investigation canvas as a PDF for better viewing.
    Refresh The Refresh option allows you refresh and reload the data from the library onto the Investigation Canvas.
    Note:
    Any unsaved changes on the canvas will be lost if you refresh without saving. It is recommended to save your canvas before refreshing to avoid data loss.
    Clear Canvas Allows you to clear the canvas.

    This selection will temporarily remove the nodes from the investigation canvas.

    A confirmation message is displayed, prompting you to confirm whether you want to clear the canvas. Acknowledge the message to proceed.

    Note:
    After making changes on the investigation canvas, you must Save the canvas. If the changes are not saved and if you refresh the canvas then it will revert to its previous state, and any unsaved nodes or modifications will be lost.
    Legend This option provides you a visual representation of the nodes and entities currently displayed on the Investigation Canvas. The legend includes two key views:
    • Node and Link Representation: Displays how different node types appear on the canvas and how they are connected via edges. This helps you quickly understand the structure and relationship between various elements in the investigation.
    • Entities Representation: Shows the types of entities currently present on the canvas (Observables, Indicators, and objects).

    The following illustrates the legends for node, link, and entity representations:
    Figure 2. Node and Link representation
    node and link representation
    Figure 3. Entities representation
    Entities representation

    Grouping or Ungrouping records from Investigation Canvas

    The group feature allows you to group nodes for easier analysis. A grouping button has been added next to nodes that can be grouped. By default, this button displays a minus (−) icon on the canvas, indicating that the connected node can be collapsed or grouped.

    Any outdegree node would be considered for a group.
    Note:
    The group icon is introduced to reduce clutter on the canvas and simplify navigation during critical investigations. For nodes without additional edges (connections), the grouping button is not displayed since there are no related nodes available to group.

    The following table explains the guidelines while grouping or ungrouping the nodes:

    Action Result
    Grouping a Node
    • All child nodes with only one parent (even across multiple levels) will be hidden within the group.
    • Nodes with multiple parents remain visible, but connections from the group to them will be hidden.
    Ungrouping a Node
    • Reveals all previously hidden nodes with one parent and their connections.
    • If nodes with multiple parents were already visible, their hidden connections will also be restored.
    Importing Node/ Fetch Related records Automatically expands a collapsed group if the new node connects to a hidden node within it.
    Allowed Actions Grouped nodes only support the Show Details action, which will show details of parent node. Other actions are disabled.
    Filter Filtering non-grouped nodes follows standard filtering behavior, while still respecting grouping rules.

    Filtering a grouped node hides the entire group and its child node.
    Other Actions Actions such as removing a node or modifying edges follow all grouping rules and behaviors.