Working with Actions on the Investigation Canvas

  • Release version: Zurich
  • Updated July 31, 2025
  • 8 minutes to read
  • This section describes the various actions that you can perform on the investigation canvas.

    Investigation canvas includes:
    1. Form actions
    2. Graph actions
    3. Node actions
    4. Edge actions
    5. Toolbar actions
    Figure 1. Investigation Canvas
    TISC Investigation canvas view.
    Table 1. Investigation canvas Form actions
    Action Operation
    Link Case Allows you to link case on the investigation canvas.
    Unlink Case Allows you to unlink the case on the investigation canvas.
    Save Option to save the case record.
    Duplicate Option to duplicate the nodes and edges on the investigation canvas.
    Delete Option to delete the canvas.
    Whenever a record is deleted from the backend or library, the same record is automatically removed from all active canvases. Also, a message is posted on the activity stream with node type, node value, and a notification that the record was deleted from the library and removed from the canvas.
    Note:
    The activity stream provides real time notifications of the deletions, keeping all the analysts aware of changes on the canvas.
    Table 2. Investigation canvas Graph actions
    Action Operation
    Find on map Allows you to search through different nodes and edges.
    Canvas Filter

    The Filter functionality helps you refine your view on the investigation canvas.

    For example, if you filter out a record type such as Campaign, it is temporarily removed from the canvas display.

    By applying filters, you can control which types of entities or records are shown on the map, enabling a cleaner and more focused investigation experience.
    Note:
    Use filters to highlight only the most relevant nodes such as observables or threat actors or internal intelligence records while temporarily hiding less critical information on the canvas.
    Save Canvas Allows you to save the investigation canvas.
    Add Data to Library This option allows you to add data to the library.

    All the changes made on the canvas including the new nodes, new links between nodes, and any edited or modified edge labels will be saved to the library.

    All nodes currently present on the canvas will be added as artifacts to the linked case.

    A confirmation message will be displayed once the data is successfully saved to the library.
    Add From Library This action will add the threat intelligence library data and also establish the relationship between the new node imported from the threat intelligence library and the existing nodes on the investigation canvas.
    Add From Case Artifacts Allows you to add data from corresponding case artifacts that is linked to the canvas.
    Unlink Canvas When an investigation canvas is linked to a case and opened from the case view then this option allows you to remove the association between the investigation canvas and the case.

    The canvas remains available in the application, but it is no longer linked to the current case.

    Rename When an investigation canvas is linked to a case and opened from the case view then this option allows you to rename the investigation canvas from the case.
    Mark as Closed When an investigation canvas is linked to a case and opened from the case view then this option allows to set the investigation canvas record to Closed from the case.

    This action is typically used when the investigation for that canvas is complete and no further updates are expected.

    Add New Node Allows you to add new entities, including observables or objects, from the investigation canvas.
    Add From Internal Intelligence Allows you to add internal intelligence from systems, applications, and security tools to the Investigation Canvas.
    Table 3. Investigation Canvas Node actions
    Action Operation
    Mark as Home Node This option allows you to mark a specific node as the home node on the Investigation Canvas.

    When pivoting during analysis, the application automatically highlights and centers the home node, bringing it into focus at the center of the canvas.

    The focused node is visually emphasized through:
    • A distinct border
    • Highlighting
    • A subtle circular motion animation
    This makes it easier to identify and explore the canvas data related to the primary focus of your investigation.
    Add Relationship This option allows you to add custom relationships between nodes on the Investigation Canvas. You can define relationship types such as:
    • One-to-many
    • Many-to-one
    • Many-to-many
    This helps represent complex associations between entities.
    Show Details This option allows you to view detailed information about the selected node on the Investigation Canvas, including its attributes and any associated observables or relationships.
    Open Record This option allows you to open the selected record in a new browser tab for easier reference and multitasking.
    Remove from Canvas This option allows you to remove one or multiple selected nodes from the investigation canvas, effectively deleting them from the current view.
    Fetch Related Records This option allows you to fetch related records for a specific node and add them directly to the investigation canvas using the Fetching Related Records for dialogue box.
    Important:
    The Fetch Related Records feature is available for all object types except new nodes (the nodes that are not added to the library). Within this section, the Internal Intelligence option is restricted to Observables and Vulnerabilities only.

    In the Fetch Related Records view, a sub header presents the node type and node value to provide a clear context for the related records displayed.

    Select Add All option to automatically includes all the observables or object or internal intelligence related record types into the given selection box.

    Considering an use case here, if a Vulnerability node has no related records, then the input values are disabled and a message is displayed indicating that there are no observables to fetch.
    Note:
    The above use case applies only to observables. All other entity types will display their corresponding related records.

    For example, if there are 5 to 10 different types of related records, you will have to manually select each object type. The Add All feature streamlines this process by populating all the relevant records at once, improving the user experience. After adding records, you can remove them or select the Expand option to view the related nodes.

    However to enhance the usability, you can now select Expand All to instantly expand all the related records linked to a node, instead of manually adding or expanding the records.

    Edit Timeline Event(s) This option allows you to add/update timeline to canvas.
    Note:
    This option is not available for new node or internal intelligence nodes. This action is also not available when a new canvas is linked to a case.

    For detailed explanation on Timeline events, see Using Timeline in Investigation Canvas Adding Timeline Events to the Canvas.

    Table 4. Investigation Canvas Edge actions
    Action Operation
    Edit This option allows you to edit and modify the label of an edge on the Investigation Canvas, enabling clearer representation of relationships between nodes.
    Remove This option allows you to remove an edge from the Investigation Canvas, effectively deleting the visual connection between two nodes.
    Table 5. Investigation Canvas Toolbar icons
    Action Operation
    Zoom in Option to zoom in the investigation canvas to easily focus on specific areas of the canvas.
    Zoom out Option to zoom out the investigation canvas to easily focus on specific areas of the canvas.
    Fit to screen Option to fit the investigation canvas to the screen size.
    Export map Option to export the investigation canvas as a PDF or image (JPG or PNG) for better viewing.
    Refresh The Refresh option allows you refresh and reload the data from the library onto the Investigation Canvas.
    Note:
    A confirmation pop up notifies you that any unsaved changes on the canvas will be lost if you refresh without saving. It is recommended to save your canvas before refreshing to avoid data loss.
    Clear Canvas Allows you to clear the canvas.

    This selection will temporarily remove the nodes from the investigation canvas.

    A confirmation message is displayed, prompting you to confirm whether you want to clear the canvas. Acknowledge the message to proceed.

    Note:
    After making changes on the investigation canvas, you must Save the canvas. If the changes are not saved and if you refresh the canvas then it will revert to its previous state, and any unsaved nodes or modifications will be lost.
    Legend This option provides you a visual representation of the nodes and entities currently displayed on the Investigation Canvas. The legend includes two key views:
    • Node and Link Representation: Displays how different node types appear on the canvas and how they are connected via edges. This helps you quickly understand the structure and relationship between various elements in the investigation.
    • Entities Representation: Shows the types of entities currently present on the canvas (Observables, Indicators, and objects).
    • Internal Intelligence: Shows the internal intelligence records associated with the Canvas.

    The following illustrates the legends for node, entities, and internal intelligence representations:TISC Investigation Canvas legends representation

    Figure 2. Entities representation
    Entities representation

    Grouping or Ungrouping records from Investigation Canvas

    The grouping feature allows you to organize nodes for easier analysis. A grouping button appears next to nodes that support grouping. By default, this button displays a minus (−) icon on the Canvas, indicating that the connected nodes can be collapsed into a group.

    Any outdegree node would be considered for a group.
    Note:
    The group icon is introduced to reduce clutter on the canvas and simplify navigation during critical investigations. For nodes without additional edges (connections), the grouping button is not displayed since there are no related nodes available to group.

    The following table explains the guidelines while grouping or ungrouping the nodes:

    Action Result
    Grouping a Node
    • All child nodes with only one parent (even across multiple levels) will be hidden within the group.
    • Nodes with multiple parents remain visible, but connections from the group to them will be hidden.
    Ungrouping a Node
    • Reveals all previously hidden nodes with one parent and their connections.
    • If nodes with multiple parents were already visible, their hidden connections will also be restored.
    Importing Node/ Fetch Related records Automatically expands a collapsed group if the new node connects to a hidden node within it.
    Allowed Actions Grouped nodes support the Show Details action, which displays information about the parent node. You can also remove individual nodes from the canvas.
    Filter Filtering non-grouped nodes follows standard filtering behavior, while still respecting grouping rules.

    Filtering a grouped node hides the entire group and its child node.

    Other Actions Actions such as removing a node or modifying edges follow all grouping rules and behaviors.