General Overview of Investigation
Investigation forms part of Gemini Enterprise. It is one of many options available to exploit our Zero-Copy Data Virtualization layer, giving unified access to all your data sources. Our Autonomous Data Infrastructure (ADI) product has Investigation built-in, and this guide will help you investigate!
This product has been specifically designed from the ground up to offer a rich visual experience in which to explore and investigate your data. Using a dynamic multi-layer visualization tool based on Graph technology, it enables the user to drill down and interact with your Elements. In this way, for instance, we could click on a visual user Element and discover to which servers and persons they are connected.
This process is intuitive to use, as it mimics the way our brains ‘think’. When we discover something interesting, we instinctively need to know how this occurred or to what it is connected. Using Investigation, we can simply click on an Element to discover context and reveal this information.
From the Global App Bar in ADI, select the Investigation option to reveal a login screen.
Enter your ADI credentials and click the ‘Sign in’ button
Introduction to using Investigation
This is where your visual investigation journey begins. To start the process you may have a use case in mind, such as a User or Host that you wish to investigate. In this example, simply add a suitable Time Range, and a relevant search Element. To narrow down the search, it may be necessary to add or exclude more Elements.
An Element can be any discernible ‘thing’ that exists on your Graph. Refer to the section ‘General terms used with Investigation’ for details on aspects of Investigation.
The example here shows Elements making up the Graph view on the visible Canvas.
To open Investigation, Select the Investigation option from the Global App Bar at the top of your screen. Investigation is split into several panels around a central Canvas.
|Search||Set time range and criteria for the investigation search. Save your searches.|
|Data||Shows available Elements and Relationships. Use in combination with Search to set criteria.|
|History||Complete history of your investigation, and ability to retrieve an earlier state of the investigation.|
|Navigator||Use your mouse and keyboard here to navigate the Canvas|
|Inspector||Obtain detail regarding your Elements and Relationships. Invoke the Element Profiler.|
|Element List||Lists all Element on the Canvas. Filter and search Elements from here.|
Search and Data Panels
Use these in combination to setup a time range and search criteria over which to search. Avoid using the ‘All Time’ option where possible, as this could take a long time to process.
The ‘Show’ search box will be the usual way of driving investigations across your data. This will restrict implicit chosen Elements, linked by a logical ‘OR’. For instance just users or servers. To add Elements, locate and highlight them from the Data Panel. Then use the ‘+’ icon adjacent to the element name to add to the search criteria.
The Exclude search box, will apply a logical ‘NOT’ for selected Elements. This is not as efficient as the previous ‘Show’ option, as it will bring back all elements except those stated.
If you wish to save your Investigation, there is a small disc icon next to the ‘Saved Searches’ selection box.
To reset your search criteria at any time, click the Reset button.
Useful addition to Investigation, especially if you find something interesting early on in your investigation and you want to go back. This panel holds a complete history of your project. Scroll down to locate a previous search, ordered by time, and click the ‘+’ icon to restore it to the Canvas.
Also, use this panel simply to ‘undo’ or ‘redo’ any actions you have recently completed.
One of several ways of navigating around the Investigation screen. Use your mouse here to ‘click-and-drag’ to select various regions of the Canvas you want to view. Use the icons below to assist with the chosen area. For instance, the first of these icons will fit the entire Graph onto the visible Canvas window.
The second icon in this panel can be used in conjunction with the ‘Select’ tool (top left icon on Toolbar). Use the Select tool to draw a rectangle around chosen Elements on your Canvas, then use the second icon of the Navigator panel to expand the view to just those Elements.
When you select an Element from the Graph, the Inspector panel will show a list of details for that Element. The list of details will vary depending on the element.
To reveal a full profile within the Element Profiler, click the element name under the Inspector panel. This will open the ‘View Element Profiler’ screen showing the Element’s relationships and its directly related Elements.
To return to your Investigation Canvas, locate and click the ‘Open in Investigation’ option at the top of the page or click on the ‘X’ in the top right-hand corner.
Element List Panel
Lists all of the Elements currently on the Canvas. Use the ‘Filter Elements’ box here to search for any specific element. Once filtered, these element(s) will be highlighted on the Canvas.
Introduction to the Investigation Canvas
There are a variety of ways to work with the Canvas; a combination of shortcut keys, mouse or trackpad, together with the surrounding Canvas Panels.
Before we start to examine navigation techniques available, here are some general terms to which we will be referring.
General terms used with Investigation
|Setting||Notes on using this setting|
|Element||The representation of a discernible unique ‘thing’ on the graph|
|Relationship||A connection between two elements that describes how they are related in some way. This is presented by an interconnecting line on the graph which includes the relationship direction.|
|Class||The kind of an element or relationship|
|Property||A distinct value: a string, or number, etc|
|Label||Caption of an element or relationship|
|Tag||A way to classify graphs - a graph can be tagged indicating its nature so viewers can quickly find it.|
|Search||Search is the process of starting an investigation by specifying criteria - both what to look for and what to exclude.
Filters can use a combination of multiple filters as part of its specification.
Saved Searches reuse a predefined filter combination at a later time.
|Graph||The visual representation of Elements and Relationships on the Canvas. Not the same as the "Graph DB"|
Elements and Relationships are grouped by class.
- Element classes could include; ‘user’, ‘computer’, ‘group’, ‘dnsnode’, etc.
- Relationships classes could include; ‘authenticated_to’, ‘manager’, ‘parent’, etc
Element and Relationship choice during an investigation, is dependent on your use case. Follow this quick start tutorial to investigate the user ‘Jdoe’. More detail will follow Tutorial 1.
Quick start Tutorial 1 - Using Investigation to examine a user element
- Enter a suitable Time Range to search.
- Locate and highlight the ‘user’ Element within the list of Elements from the Data panel. When highlighted, a small ‘+’ value is visible adjacent to the element name, click this to add it to the ‘Show’ search box.
The numeric value in parenthesis contains the known number of elements
- Locate and click the ‘Apply’ button. It will now search and display those ‘user’ elements in the main Graph display.
Various ways of working with Graph elements on the Canvas are available:
- Use the mouse-click and space keys together, to manipulate the size and position of elements on the canvas
- On the right of your screen you will see a Navigator panel, with icons allowing similar control.
- Shortcut keys and right-click key option menus are available for working with Graph elements on the canvas - refer to the section, ‘Keyboard Shortcut keys - Investigation’
- Use of the Toolbar at the top of the screen
- In order to Isolate the user ‘Jdoe’ you have a couple of choices. Locate and click the element on the canvas itself to highlight, or make use of the search box in the Toolbar (top of the screen). For instance, replace ‘Select Elements by Keyword’ with ‘jdoe’ and press return. The Element will now be highlighted. To make your investigation richer, right-click the element, and choose ‘isolate’ to clear everything else away from the canvas (or simply type ‘i’ on the Canvas)
To clear the Graph completely at any time, click the Canvas and type ‘e’
To redraw the Graph at any time, click the Canvas and type ‘r’Notice on the right of the screen, the Inspector panel shows detail for a selected Element or Relationship. To reveal a full profile within the Element Profiler, click the name under the Inspector panel. This will open a separate screen. To return to your Investigation canvas, locate and click the ‘Open in Investigation’ option at the top of the page.
- Once isolated, double-click an element to drill-down and reveal further adjacent elements. Observe and investigate visible relationships as appropriate, and repeat the steps above to reveal, isolate and drill-down into your elements.
Working with the Investigation Canvas
A suggested in Tutorial 1, several options are available to navigate the canvas.
- Keyboard & mouse controls (including shortcut keys)
- Right-click Menu
- Navigator Panel
- Investigation Toolbar
As a simple example of this, a common requirement is to clear the Canvas completely, use either of the bulleted options to achieve the task:
Clearing the Canvas
- Click anywhere on the Canvas and type ‘e’
- Locate and click the ‘Clear Canvas’ icon on the Investigation Toolbar
- Open the 'ellipsis' menu, and choose 'Clear Canvas'
You will quickly develop your own preferences when using the product, so we shall now explore some more navigation actions.
Manipulating the Graph
- Hold the space key down on your keyboard, while you click-and-drag your mouse (or trackpad) on the Graph display.
- Locate the Navigator Panel. Click and drag your mouse within this panel to highlight the area of Graph you wish to select.
- Locate the Toolbar and choose the ‘Pan’ (hand) icon. Then click-and-drag your mouse over the Graph
Zoom control of the Graph
- Using the keyboard, hold the ‘alt’ key and click the mouse to zoom out.
- Click anywhere on the Canvas and type ‘z’. Click the mouse again to zoom by increments.
- Locate the Navigator Panel, and click the ‘+’ magnifying glass icon. Here it is also possible to reduce the zoom by clicking the ‘-’ magnifying glass icon.
- Locate the Investigation Toolbar and choose the ‘+’ magnifying glass icon. Then click on the Graph to increase the zoom.
Selecting Elements on the Graph
- Locate and click one of the Elements with your mouse (you may first need to choose the mouse Select Pointer from the Investigation Toolbar). The selected Element will be color highlighted.
- Locate the Element List Panel, and search for an Element using the Filter Elements box. If the Element is found, select it within the Element List and it will be color highlighted immediately.
- Locate the Investigation Toolbar and search for an Element using the, ‘Select elements by Keyword’ box.
Working with a group of Elements
- Using your mouse, click-and-drag a selection rectangle around several Elements. (Note: Choose the mouse Select Pointer from the Investigation Toolbar if required). or hold down the 'SHFT' key and select individual elements. The selected Elements will be color highlighted.
- To maximize the view of these selected Elements, locate the ‘Zoom to Fit Selected’ icon in the Navigator Panel.
- Right-click on the canvas to reveal various options. In the example below 13 elements have been selected
- Select or Press 'l' - To isolate those selected elements
- Select or press 'W' - To Discard these and leave the remaining elements
- Select or press 'G' - To create a Group that can be minimised and expanded
- Select 'Save Selection' - To initiate this as a 'Saved Graph'
Using your mouse controls to select and group together elements is usually the fastest way to navigate, but it takes wome practise. See below for a guide as to what can be achieved.
Investigate an Element using drill-down
There are three levels of ‘Neighbor’ detail which can be set. Locate the ‘Select Element Neighbors’ button from the Investigation Toolbar.
Choose the appropriate level of complexity as follows;
- Level 1 - displays the nearest neighbors only, and is the preferred option to start
- Levels 2 & 3 - displays neighbors of neighbors
Once an Element of interest has been selected, and maybe isolated (type ‘i’), we can now drill-down at the chosen Level to reveal its Neighbors.
- Double-click on the Element with your mouse/trackpad, and watch as its Neighbors and Relationships are revealed.
- Using information within the Inspector Panel, selecting Neighbors with your mouse, will help to verify their identity/role, and selecting the connecting lines will reveal detail of the Relationship between Elements.
Working with Relationships
Relationships between the Elements, shown graphically as lines, might form your initial use case for an Investigation. For instance if you were looking for current ‘authenticated connections’
- From the Data Panel, change the selector to ‘Relationships’. Locate a class involving authentications. If it has a number in brackets, this will be the total number it knows about. Use the small ‘+’ icon to add this to your Search box, and known relationships and their corresponding Elements will appear on the Canvas.
To extend the Relationships currently displayed for an Element.
- Click to select the required Element, then right-click to reveal a menu from which choose ‘Insert-Relationships…’ This will expand a list of possible relationship types such as a Group or Parent.
To discover more about the Relationship, in other words the date and time of the authentication, and the status of that authentication.
- Click on the connecting line between Elements. Review information about this Relationship in the Inspector Panel.
Right-click menu - Investigation
|Select All in Class||Select an Element from the Canvas. From the Inspector panel, observe the Class or Classes to which it belongs. When you choose this option, Elements within the same class will be colored on the Canvas. If Elements belong to more than one Class, they will be highlighted in a different color.|
|Select All||Will select all elements on the graph.|
|Deselect All||Reverses the Select All option.|
|Invert Selection||Highlights all elements other than those selected|
|Select Neighbours||Will also select neighbouring elements to Level 1, 2, 3 if they exist|
|Save Selction||This will initiate the 'Saved Graph' function menu|
|Isolate||Useful to clear the Canvas around the Element of concern, allowing you to drill-down and investigate just the Neighbors and Relationships that are relevant.|
|Clear||This will remove a selected Element (and its connected Neighbors if present) from the Graph. Useful to de-clutter the Canvas. Use the Shift key and mouse to select multiple Elements for clearing|
|Group||Useful tool to create one or more groups of elements that can be minimised and expanded on a double-click action|
|Insert Neighbors||To extend the Neighbors currently displayed for an Element.|
|Insert Relationships||To extend the Relationships currently displayed for an Element.|
|Exclude||Brings up a second menu of Classes available to exclude therefore potentially removing a lot of clutter from the Canvas|
The toolbar at the top of the screen is an easy way to navigate and use Investigation. Moving from left to right, icons are responsible for the following;
|Select||The first icon in the toolbar, is used to change the mouse pointer for selection of one or more Elements on the Canvas. Used with the left-click option, multiple Elements that fit within a rectangle drawn on the Canvas can be selected.||esc or v|
|Zoom||Choose the magnifying glass icon, then click on the Canvas to increase the zoom ‘+’. Click and drag to draw a zoom selection.||z|
|Pan||Choose the ‘Pan’ icon, then click and drag your mouse over the Graph to move it around the Canvas.||n or hold spacebar|
|Clear Canvas||Use the ‘Clear Canvas’ icon to completely clear the Canvas of everything.||e|
|Redraw Graph||Use this at any time to refresh and redraw the Graph on your Canvas.||r|
|Select Elements by Keyword||Use this box to search and locate an Element by name. Press the Enter key, and it will be color highlighted on the Canvas||cmd/ctrl + f|
|Depth Level||Used to choose the appropriate level of complexity as follows; - Level 1 - displays the nearest neighbors only, and is the preferred option to start - Levels 2 & 3 - displays neighbors of neighbors||1, 2 or 3|
|Toggle Element Labels||Hides or shows all Element names on the Canvas||alt + l|
|Toggle Stories/Comments||Highlights Elements that are present in additional graphs with a red dot.||TBD|
|Toggle Theme||Use this to alternate between light and dark Canvas backgrounds.||alt + cmd/ctrl + 1|
|Toggle Search/Data panel||Hide/show panels to the left of the canvas, including Search and Data. This creates a larger working Canvas||alt + i|
|Toggle Timeline (bottom) Panel||Use this to hide/show the Timeline Panel.||t|
|Toggle Inspector (right) Panel||Use this to hide/show panels to the right of the Canvas, including Navigator, Inspector and Element List. This creates a larger working Canvas||alt + cmd/ctrl + 2|
Saving a Graph
At the top of the screen on the Global App bar, a menu can be revealed from the small ellipsis (...) menu. Click to reveal options including saving and opening Graphs.
Refer to the table below for descriptions on options in the ellipsis menu.
|New||Clear the canvas and begin a new Investigation|
|Open||Open an existing Saved Graph|
|Edit Details||Edits details of the Saved Graph|
|Save||Saves any uncommitted changes|
|Save As...||Allows the saving of a duplicate, or a modified Graph|
|Revert||Will revert to the previously saved copy of the graph|
|Share||Creates a unique url link to the Graph which can be shared with colleagues.|
|Clear Canvas||Will blank the Canvas (shortcut key ‘e’)|
|Clear History||Clears the History Panel cache. Useful if starting a new project.|
|Delete||Deletes the current Saved Graph.|
Help and Assistance with Investigation
At the top right of the Investigation screen you will find a 'question mark' icon. Click here to reveal some useful resources to aid your journey with Investigation.
- User Guide - This takes you directly to our Website and opens the User Guide document for this product.
- Keyboard Shortcuts - Using keyboard shortcuts will enhance the speed of your project. Remember this handy reference when working with Investigation.
- Contact Support - This offers a quick way to report any bugs you may find. If you wish to make an enhancement request, ensure that you use that title in your email. We always appreciate your feedback!
Keyboard Shortcut keys - Investigation
Use the table below for quick navigation of Investigation using your keyboard.
|Function||Mac OS||Windows OS|
|Select All in Class||s||s|
|Select All||cmd + a||ctrl + a|
|Element Neighbords L1||1||1|
|Element Neighbords L2||2||2|
|Element Neighbords L3||3||3|
|Clear All||cmd + e||ctrl + e|
|Group||cmd + g||ctrl + g|
|Ungroup||shft + cmd + e||shft + ctrl + e|
|Open Group||cmd + o||ctrl + o|
|Close Group||cmd + p||ctrl + p|
|Pan||space or n||space or n|
|Quickfind Elements||cmd + f||ctrl + f|
|Maximize Canvas||cmd + enter||ctrl + enter|
|Back||cmd + z||ctrl + z|
|Undo||alt + cmd + z||alt + ctrl + z|
|Redo||shift + cmd + z||ctrl + y|
|Zoom In||cmd `+`||ctrl `+`|
|Zoom Out||cmd -||ctrl -|
|Zoom to All||alt + 1||ctrl + 1|
|Zoom to Selected||alt + 2||ctrl + 2|
|Toggle Element Labels||alt + l||alt + l|
|Toggle Theme (dark/light)||alt + i||alt + i|
|Toggle Graphs/Comments||alt + u||alt + u|
|Toggle Search/Data panel||alt + cmd + 1||alt + ctrl + 1|
|Toggle Inspector Panel||alt + cmd + 2||alt + ctrl + 2|