Filtering nodes in the graph
VirusTotal Graph allows filtering the nodes on your Graph by some selected attributes. It allows you to reduce the overall noise and focus on the nodes more interesting for you. More filters to come in the future, tell us what would you like to see first!
You can filter all the nodes in the Graph or a given selection of nodes. You can select nodes as usual (Shift+drag mouse) or also select a relationship node to filter its children.
Filters drawer is automatically displayed on the right side of the workspace. You can open/close the Filters at anytime by pressing the Filters icon at the right of the Search Bar or pressing at the Filter icon in a node's drawer actions.
The following filters are available:
- File type
- Entity type
- Relationship type
- Detections
- First seen
- Last seen
For First seen / Last seen, you can find a timeline divided in buckets showing how many nodes are included in each of them. Use them to adjust your time window and filter nodes in the Graph accordingly.
Additional filters available are based on an aggregation of the elements existing in your graph, like the type of node. Along with the filter you can find the total number of entities in your Graph that have the given value (like, 29 URL nodes) as well as the number of nodes having the given value AND being detected as malicious by at least one AV engine(in the image below, that applies to 19 of the URLs in the Graph).
Each filter provides three options:
- OR: When one or multiple OR conditions are selected, a node must match at least one of them to be visible.
- AND: When one or multiple AND conditions are selected, a node must match all of them to be visible.
- NOT: When one or multiple NOT conditions are selected, a node must not match any of them to be visible.
At top of each filter you will find a RESET button to remove the current filter status.
After a filter is applied the Graph is updated automatically. Similarly, when the user clicks on “Removed filtered nodes” nodes not visible from the Graph are removed and filters reset. You can start over again and re-play the filtering flow from there.
You can also chain different filters based on selections. Lets say you filter a Resolutions relationship to get only the IP addresses with +5 detections. Then you can select other batch of nodes and apply other filters, being both filters applied independently. You will see a Filter selection chip per filtered selection on top of the workspace indicating you have some coexisting at the same time. You can click on the chips to contextualize the Filters for the given selection.
Looking for others ways to filter?
Your suggestions are very valuable for us. Please, send the filter types you are missing or any other feedback via our contact form.