Working with Actions on the Investigation Canvas

  • Release version: Yokohama
  • Updated January 30, 2025
  • 6 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Working with Actions on the Investigation Canvas

    The Investigation Canvas in ServiceNow Yokohama release provides a powerful visual workspace for analyzing cases through interactive nodes, edges, and graphs. It supports various actions categorized into form, graph, node, edge, and toolbar operations, enabling users to efficiently investigate and manage relationships between case artifacts and threat intelligence data.

    Show full answer Show less

    Form Actions

    • Link/Unlink Case: Connect or disconnect cases on the canvas to correlate investigations.
    • Save: Persist changes made to the case record.
    • Duplicate: Copy nodes for parallel analysis.
    • Delete: Remove the entire canvas.

    Graph Actions

    • Find on Map: Search nodes and edges to quickly locate relevant data.
    • Canvas Filter: Temporarily hide specific record types (e.g., Campaigns) to focus on critical entities such as observables or threat actors.
    • Save Canvas: Save the current state of the investigation map.
    • Add Data to Library: Save new relationships, nodes, and edits to the threat intelligence library, adding all canvas nodes as artifacts linked to the case.
    • Add From Library: Import threat intelligence data and establish relationships to existing nodes.
    • Add From Case Artifacts: Bring in data from linked case artifacts for expanded context.

    Node Actions

    • Mark as Home Node: Highlight and center a node during pivots to maintain focus on primary investigation elements.
    • Add Relationship: Define custom links (one-to-many, many-to-one, many-to-many) between nodes to model complex entity associations.
    • Show Details: View detailed attributes and related observables of a selected node.
    • Open Record: Launch node records in new browser tabs to facilitate multitasking.
    • Remove from Canvas: Delete nodes from the current investigation view.
    • Fetch Related Records: Add related records in bulk or selectively, with options to expand all related nodes instantly, streamlining data exploration.

    Edge Actions

    • Edit: Modify relationship labels to clarify connections between nodes.
    • Remove: Delete edges to remove visual links.

    Toolbar Actions

    • Zoom In/Out and Fit to Screen: Adjust canvas view for better visualization.
    • Export Map: Save canvas as PDF for offline review or sharing.
    • Refresh: Reload library data onto the canvas; unsaved changes will be lost, so saving beforehand is recommended.
    • Clear Canvas: Temporarily remove all nodes after confirmation.
    • Legend: Displays node, link, and entity types for quick understanding of the canvas structure and data.

    Grouping and Ungrouping Nodes

    The canvas supports grouping of nodes to reduce clutter, especially for nodes with multiple connected child nodes. Grouped nodes can be collapsed or expanded:

    • Grouping: Hides child nodes with a single parent, simplifying the view while keeping nodes with multiple parents visible.
    • Ungrouping: Reveals all hidden nodes and connections.
    • Adding related nodes to a collapsed group automatically expands it if the new nodes connect to hidden nodes.
    • Grouped nodes support limited actions, primarily "Show Details" on the parent node.
    • Filtering a grouped node hides the entire group and its children.
    • Other actions such as removing nodes or editing edges honor grouping rules for consistent behavior.

    Practical Benefits for ServiceNow Customers

    This comprehensive set of investigation canvas actions empowers you to visually explore, analyze, and manage complex case data relationships efficiently. You can customize views, maintain focus on critical data, expand investigation context through related records and libraries, and keep the canvas organized via grouping. The ability to save, export, and refresh canvases supports collaborative and iterative investigation workflows, enhancing your threat intelligence and case management capabilities.

    This section describes the various actions that you can perform on the investigation canvas.

    Investigation canvas includes:
    1. Form actions
    2. Graph actions
    3. Node actions
    4. Edge actions
    5. Toolbar actions
    Figure 1. Investigation Canvas
    TISC Investigation canvas view.
    Table 1. Investigation canvas Form actions
    Action Operation
    Link Case Allows you to link case on the investigation canvas.
    Unlink Case Allows you to unlink the case on the investigation canvas.
    Save Option to save the case record.
    Duplicate Option to duplicate the nodes on the investigation canvas.
    Delete Option to delete the canvas.
    Table 2. Investigation canvas Graph actions
    Action Operation
    Find on map Allows you to search through different nodes and edges.
    Canvas Filter

    The Filter functionality helps you refine your view on the investigation canvas.

    For example, if you filter out a record type such as Campaign, it is temporarily removed from the canvas display.

    By applying filters, you can control which types of entities or records are shown on the map, enabling a cleaner and more focused investigation experience.
    Note:
    Use filters to highlight only the most relevant nodes such as observables or threat actors while temporarily hiding less critical information on the canvas.
    Save Canvas Allows you to save the investigation canvas.
    Add Data to Library This option allows you to establish a new relationship between two different nodes on the investigation canvas.

    All the changes made on the canvas including the new nodes, new links between nodes, and any edited or modified edge labels will be saved to the library.

    All nodes currently present on the canvas will be added as artifacts to the linked case.

    A confirmation message will be displayed once the data is successfully saved to the library.
    Add From Library This action will add the threat intelligence library data and also establish the relationship between the new node imported from the threat intelligence library and the existing nodes on the investigation canvas.
    Add From Case Artifacts Allows you to add data from corresponding case artifacts that is linked to the canvas.
    Table 3. Investigation Canvas Node actions
    Action Operation
    Mark as Home Node This option allows you to mark a specific node as the home node on the Investigation Canvas.

    When pivoting during analysis, the application automatically highlights and centers the home node, bringing it into focus at the center of the canvas.

    The focused node is visually emphasized through:
    • A distinct border
    • Highlighting
    • A subtle circular motion animation
    This makes it easier to identify and explore the canvas data related to the primary focus of your investigation.
    Add Relationship This option allows you to add custom relationships between nodes on the Investigation Canvas. You can define relationship types such as:
    • One-to-many
    • Many-to-one
    • Many-to-many
    This helps represent complex associations between entities.
    Show Details This option allows you to view detailed information about the selected node on the Investigation Canvas, including its attributes and any associated observables or relationships.
    Open Record This option allows you to open the selected record in a new browser tab for easier reference and multitasking.
    Remove from Canvas This option allows you to remove the selected node from the investigation canvas, effectively deleting it from the current view.
    Fetch Related Records This option allows you to fetch related records for a specific node and add them directly to the investigation canvas using the Select Entity Types dialogue box.

    Select Add All option to automatically includes all the object related record types into the given selection box.

    For example, if there are 5 to 10 different types of related records, you will have to manually select each object type. The Add All feature streamlines this process by populating all the relevant records at once, improving the user experience. After adding records, you can remove them or select the Expand option to view the related nodes.

    However to enhance the usability, you can now select Expand All to instantly expand all the related records linked to a node, instead of manually adding or expanding the records.

    Table 4. Investigation Canvas Edge actions
    Action Operation
    Edit This option allows you to edit and modify the label of an edge on the Investigation Canvas, enabling clearer representation of relationships between nodes.
    Remove This option allows you to remove an edge from the Investigation Canvas, effectively deleting the visual connection between two nodes.
    Table 5. Investigation Canvas Toolbar icons
    Action Operation
    Zoom in Option to zoom in the investigation canvas to easily focus on specific areas of the canvas.
    Zoom out Option to zoom out the investigation canvas to easily focus on specific areas of the canvas.
    Fit to screen Option to fit the investigation canvas to the screen size.
    Export map Option to export the investigation canvas as a PDF for better viewing.
    Refresh The Refresh option allows you refresh and reload the data from the library onto the Investigation Canvas.
    Note:
    Any unsaved changes on the canvas will be lost if you refresh without saving. It is recommended to save your canvas before refreshing to avoid data loss.
    Clear Canvas Allows you to clear the canvas.

    This selection will temporarily remove the nodes from the investigation canvas.

    A confirmation message is displayed, prompting you to confirm whether you want to clear the canvas. Acknowledge the message to proceed.

    Note:
    After making changes on the investigation canvas, you must Save the canvas. If the changes are not saved and if you refresh the canvas then it will revert to its previous state, and any unsaved nodes or modifications will be lost.
    Legend This option provides you a visual representation of the nodes and entities currently displayed on the Investigation Canvas. The legend includes two key views:
    • Node and Link Representation: Displays how different node types appear on the canvas and how they are connected via edges. This helps you quickly understand the structure and relationship between various elements in the investigation.
    • Entities Representation: Shows the types of entities currently present on the canvas (Observables, Indicators, and objects).

    The following illustrates the legends for node, link, and entity representations:
    Figure 2. Node and Link representation
    node and link representation
    Figure 3. Entities representation
    Entities representation

    Grouping or Ungrouping records from Investigation Canvas

    The group feature allows you to group nodes for easier analysis. A grouping button has been added next to nodes that can be grouped. By default, this button displays a minus (−) icon on the canvas, indicating that the connected node can be collapsed or grouped.

    Any outdegree node would be considered for a group.
    Note:
    The group icon is introduced to reduce clutter on the canvas and simplify navigation during critical investigations. For nodes without additional edges (connections), the grouping button is not displayed since there are no related nodes available to group.

    The following table explains the guidelines while grouping or ungrouping the nodes:

    Action Result
    Grouping a Node
    • All child nodes with only one parent (even across multiple levels) will be hidden within the group.
    • Nodes with multiple parents remain visible, but connections from the group to them will be hidden.
    Ungrouping a Node
    • Reveals all previously hidden nodes with one parent and their connections.
    • If nodes with multiple parents were already visible, their hidden connections will also be restored.
    Importing Node/ Fetch Related records Automatically expands a collapsed group if the new node connects to a hidden node within it.
    Allowed Actions Grouped nodes only support the Show Details action, which will show details of parent node. Other actions are disabled.
    Filter Filtering non-grouped nodes follows standard filtering behavior, while still respecting grouping rules.

    Filtering a grouped node hides the entire group and its child node.
    Other Actions Actions such as removing a node or modifying edges follow all grouping rules and behaviors.