Skip to main content
Version: Spectra Analyze 9.8.1

Graph

Overview

The Graph page is accessible from the top navigation menu.

It provides an interactive visualization of relationships between malware samples, files, domains, IPs, and other entities. Users can create, view, and manage graphs to explore these connections.

The landing page displays a list of saved graphs, each represented by a thumbnail preview, name, creator, and last modified date. On this page, users can do the following:

  • Search by graph name using the search bar at the top.
  • Create graphs by clicking + New graph.
  • Share graphs by copying links to individual graphs under ☰ > Copy link.
  • Delete individual graphs by clicking ☰ > Delete.
  • Bulk delete graphs by checking the boxes next to the graphs and clicking Delete.

Select any existing graph or create a new one to get started.

Graph navigation

Use the mouse to navigate: click and drag the canvas to move around, scroll to zoom in or out, and click and drag the nodes to move them around.

Click a node to open a sidebar on the right side of the canvas, providing information on that specific node. Right-click a node to access the context menu with options specific to that node. Control nodes, for example, offer options to Load more child nodes or Export a list of them.

Nodes

Root nodes

For graphs created by adding a single hash or by navigating from the sample summary page, the icon in the center of the graph represents the sample. Sample nodes are also known as root nodes, as they serve as the starting points in the graph.

To add more root nodes to the graph, enter a hash into the Graph search bar and click +, or promote an existing file node to a new root node. The Graph search only accepts valid SHA-1 hashes.

Other file nodes are displayed on the graph because of some relationship to the root node. These can be promoted to root nodes via the sidebar or right-click menu by selecting Expand or Fetch & Analyze (for cloud samples). Their transformation from a file node into a new root node adds more control nodes and integrates their relationships into the existing graph.

Control nodes

Root nodes branch into control nodes, each representing a distinct type of relationship.

Control nodes act as entry points for exploring data. Each node is visualized as a color-coded pie chart showing the number of subnodes per classification: goodware, suspicious, malicious, or unknown. Initially, each control node displays up to 20 unique subnodes.

For cloud samples, fewer control nodes are available until the sample is fetched and analyzed from either the node sidebar or the search page to display additional relationship data.

The available control nodes are:

  • Dropped files
  • Extracted Files
  • Parents and Sources
  • (RHA) Similarity
  • Static Network References
  • Dynamic Network References
  • Network References: Contacted URLs, Domains and IPs

The sidebar provides details and actions based on the selected node:

  • Control nodes show statistics on subnodes.
  • Extracted file nodes display file reputation and threat names.
  • Network reference nodes provide third-party reputations and classification reasons. When available, network reference nodes for extracted and contacted IP addresses display their country of origin.

To load more subnodes, select a control node and click Show more.

Highlighted and underlined items in the sidebar can be clicked to navigate to a different sample summary page, or to perform an advanced search query.

Filtering

Graphs can be filtered by classification, file type or file name. The filtering options are accessible via the Show Filters button in the top left of the canvas.

Saving and updating

Click Save when working on a new graph to open the save dialog, and give it a name. When you open a saved graph, it loads all references from the previous session, plus any new ones discovered since then.