Display Modes
Optic’s Research Tool provides various display modes so you can visualize your data in different ways. Many Research Tool features and options are consistent across all display modes; see the Navigation Basics section of the Optic Quick Tour for an overview of common features and menu options.
Tip
Use the Workspaces Tool to configure the number of results to show (as a load increment and a total value) for each display mode.
Select a Display Mode
Click the Display Mode Selector under the Storm query bar and select the display mode to use from the dropdown list.
Tip
When you change display modes, Synapse will preserve any query that is present in the query bar, but will not automatically re-run the query. Press Enter to re-run your query and display the results using the new display mode.
Automatically Re-Run Queries
You can configure Synapse to automatically re-run the current query when switching between display modes:
Click the Storm query bar menu (the three dots or “meatball menu”) on the right of the Storm query bar.
Select the checkbox next to the Autorun Query option.
Select / Deselect Nodes
Most display modes share a common set of menu options for selecting nodes. (Statistics display mode is the exception, because it displays summary data vs. individual nodes.)
These options are available under the Selection > option on the display mode hamburger menu (the three lines to the far right of the Display Mode Selector):
Selection > Select All selects all the nodes displayed in the Results Panel:
Selection > Invert Selection swaps your current selection (all selected nodes are deselected, and vice versa):
Selection > Clear Selection deselects any currently selected nodes:
Tip
The display mode hamburger menu may contain additional display mode-specific menu options, depending on your current display mode.
Tabular Display Mode
Tabular display mode (Tabular mode) allows you to visualize your data in a ‘rows and columns’ layout. It is most useful for:
easily viewing the data and tags in your results;
sorting results;
ad-hoc navigation or querying of the data;
exporting specific columns (as space- or newline-separated values) or tables (as CSV) of data.
If your results include different types of objects (forms), each form will have its own section or table in the Results Panel.
Tip
You can easily view a summary of your results or jump to a particular form using the Scroll to Form button.
Customize Your Tabular Mode Display
Every form in Synapse has its own set of properties - an IPv4 address is very different than a file. In addition, some forms have a large number of properties - too many to fit easily in one row of Tabular mode’s Results Panel. Finally, different properties (and tags!) may be more useful for different types of analysis.
You can fully customize the columns and / or tags displayed for each form in Tabular mode’s Results Panel. Any changes to the layout are saved as part of your current Workspace.
Tip
You can always view all of the properties and tags for a node by selecting the node in the Results Panel and viewing the full information in the Details Panel.
Details on configuring your Tabular mode layout can be found in the Research Tool - Tabular Display Mode section on how to Customize Your Environment.
Select Nodes in Tabular Mode
You can Select / Deselect Nodes using the menu options common to most display modes.
The following additional options apply to Tabular mode.
Select a Single Node
To select a single node, click the node in the Results Panel:
Tip
When selected, the node (row) background will change to a darker gray.
Select Multiple Nodes
Use shift-click to select a set of contiguous nodes or ctrl-click to select a set of arbitrary nodes:
Select All Nodes in Table
Click the hamburger menu next to the table header and choose Select all.
Explore Data in Tabular Mode
You can explore data in Tabular mode to identify other nodes that are “connected” (by shared properties or light edges) to the node(s) you explore from.
To explore from a node (or nodes), use any of the available methods to select / multi-select the nodes to explore from.
Click the Explore button next to any selected node:
Force Graph Display Mode
Force Graph display mode (Force Graph mode) allows you to visualize your results as a graph of objects (nodes) and relationships (“edges”).
When you run a query in Force Graph mode, Synapse displays:
all the nodes returned by your query;
a subset of nodes “one degree out” from your results (to help identify additional connections).
You can modify the appearance of your graph in various ways, including:
Pinning nodes in place;
Locking node labels so they remain visible;
Removing nodes from the graph display;
Adding data to the graph by exploring from nodes.
Tip
Because Synapse is a hypergraph (as opposed to a directed graph), Force Graph mode “flattens” the hypergraph into a “directed graph-like” display. Dots in the graph represent nodes, just as in a traditional directed graph. However, lines in Synapse’s Force Graph represent either a light edge (similar to a traditional directed edge) that links two nodes or a shared property between two nodes. For example, an FQDN is linked to its DNS A record by a line that represents the shared FQDN value.
Pause or Play Force Graph
As your results are populated, Synapse uses a physics engine (algorithm) to find the optimal layout for your graph (“force graph” is short for “force-directed graph”). This means the nodes will move around on their own until they find equilibrium:
Pause Force Graph
Click the pause button to stop the force graph movement:
Play / Resume Force Graph
Click the play button to resume the force graph movement and allow the graph to redistribute:
Navigating the Force Graph
Use your pointing device (mouse or touchpad) to navigate the force graph.
Zoom In or Out
With your cursor in the Results Panel, use your device’s scroll function (e.g., the scroll wheel on a mouse) to zoom in and out:
Move the Force Graph
With your cursor in the Results Panel, click and hold while you use your device to move the force graph:
Reset the Force Graph’s Position
To return the force graph to its original position, click the force graph hamburger menu (the three lines next to the play/pause button) and select Reset viewport:
Tip
The Reset viewport option resets the position of your existing force graph. If you have modified your graph any changes are preserved when you reset the viewport.
To reset the entire graph (i.e., display your full, original results), re-run your query in the Storm query bar.
View Node Information
In the Results Panel, use your device to hover over any node to temporarily highlight the node and its edges/connections and to display a tooltip with basic information about the node:
Select Nodes in the Force Graph
Selecting nodes in Force Graph mode is similar to selecting nodes in other display modes. As always, selecting a node in the Results Panel displays the node’s details in the Details Panel, and you can Select / Deselect Nodes using the display mode menu options common to most display modes.
In Force Graph, selecting nodes is closely related to two additional display options:
Pinning (or unpinning) a node - fixing the node in place even when the physics engine is active.
Displaying the node’s label (tooltip), including locking the label in place.
When you select individual nodes (i.e., select a single node, or use ctrl-click to select multiple individual nodes), the nodes are also pinned.
When you select multiple nodes (by drawing a box around them, or by using any menu-based selection options), the nodes are not pinned.
When you select any nodes (regardless of the method used), the nodes’ labels are displayed but not locked.
See the sections on Pin or Unpin Nodes and Lock or Unlock Labels for additional details.
Select a Single Node
Click on a node to select it.
Selecting a node (or selecting multiple nodes using ctrl-click) will also pin the nodes and display (but not lock) the nodes’ labels. When you select a node, the node and its edges / connections are highlighted with heavy lines (vs. thin lines on hover-over).
Select Multiple Nodes
To select multiple contiguous nodes, shift-click and hold and use your pointing device to draw a box around the nodes:
Locate and Select Specific Nodes
You can search / select nodes based on their form or primary property value.
From the display mode hamburger menu, choose Selection > Select nodes from string:
In the Select nodes from string dialog box, enter the string to search for and click Select:
Synapse will select any matching nodes:
Tip
When searching for and selecting nodes, you can search using:
The full form name (e.g.,
media:news) to find all nodes of a particular form;A full or partial string matching any portion of a node’s primary property.
When matching the primary property, you can match any part of the value (there is no minimum string length and you are not limited to matching by prefix or token).
You can match any primary property that is a singular value (including guid values from guid-based nodes).
Currently, this feature will not match primary property values from composite (comp) forms (such as inet:dns:a
nodes).
Pin or Unpin Nodes
Pin a Node
To pin an individual node, select the node:
Tip
Selecting a node will pin the node, but deselecting the node does not automatically unpin it.
Unpin a Node
To unpin a node (or a set of selected nodes), right-click the node and choose unpin node from the context menu:
Tip
Unpinning a node does not automatically deselect the node.
You can unpin all nodes by selecting the option from the display mode hamburger menu:
Lock or Unlock Labels
Locking a label ensures that the label will remain visible when you deselect the node / select another node.
Lock a Label
To lock a node’s label (or the labels for a set of selected nodes), right-click the node and choose lock label (or lock labels) from the context menu:
Unlock a Label
To unlock a node’s label (or the labels for a set of selected nodes), right-click the node and choose unlock label (or unlock labels) from the context menu:
The label(s) will be removed the next time you select a node (or deselect any currently selected nodes).
Modify Your Graph
You can modify the appearance of your graph by removing individual nodes or sets of nodes.
Tip
Removing a node from Force Graph does not delete the node from Synapse; it simply removes the node from your display.
The Force Graph display mode hamburger menu includes both Undo and Redo options that allow you to modify recent actions without having to reset your entire graph (i.e., by re-running your original query):
Remove an Individual Node
To remove a node (or nodes), right-click the node and choose remove node from the context menu:
Remove a Group of Nodes
Select the set of nodes to remove using any of the available multi-select options.
Right-click any selected node and choose remove node from the context menu:
Tip
If you want to preserve only a small subset of nodes, you can select the nodes you want to keep and use the Invert Selection option to switch your selection and allow removal of large numbers of nodes.
Explore Data Using the Force Graph
You can explore data in Force Graph mode, similar to the way you Explore Data in Tabular Mode. When you explore in Force Graph, Synapse adds any nodes that are “connected” (by shared properties or light edges) to the node(s) you explore from.
Tip
Exploring from a “highly connected” may cause Force Graph to add a large amount of data to your Results Panel. You can limit the number of results that Force Graph will load before pausing or stopping.
The Force Graph display mode hamburger menu includes both Undo and Redo options that allow you to modify recent actions without having to reset your entire graph (i.e., by re-running your original query).
Explore from a Node
To explore from a node, right-click the node and choose explore node from the context menu:
Tip
You can also double-click any node to explore from that node.
Explore from Multiple Nodes
To explore from multiple nodes, use any of the methods to multi-select nodes.
Right-click any selected node and choose explore node from the context menu:
