Working with Actions on the Investigation Canvas

  • Release version: Zurich
  • Updated July 31, 2025
  • 8 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Working with Actions on the Investigation Canvas

    The Investigation Canvas in ServiceNow Zurich release provides a dynamic workspace for security analysts to visualize, investigate, and manage case-related data through multiple interactive actions. These actions are categorized into Form actions, Graph actions, Node actions, Edge actions, and Toolbar actions, each enabling specific operations to enhance investigation efficiency and clarity.

    Show full answer Show less

    Form Actions

    • Link/Unlink Case: Connect or disconnect the canvas from a case.
    • Save: Persist changes to the case record.
    • Duplicate: Copy nodes and edges for parallel analysis.
    • Delete: Remove the entire canvas; backend deletions sync automatically and notify analysts via the activity stream for real-time awareness.

    Graph Actions

    • Find on Map: Search nodes and edges to quickly locate elements.
    • Canvas Filter: Temporarily hide or show specific entity types, improving focus on relevant data like observables or threat actors.
    • Save Canvas: Save all canvas changes including new nodes, edges, and labels to the library and link artifacts to the case.
    • Add Data: Import data from the threat intelligence library, case artifacts, or internal intelligence sources directly onto the canvas, establishing relationships automatically.
    • Unlink Canvas: Disassociate the canvas from a case while retaining it in the application.
    • Rename and Mark as Closed: Rename the canvas or set it to closed status from the case view when investigations conclude.
    • Add New Node: Create new entities such as observables or objects directly on the canvas.

    Node Actions

    • Mark as Home Node: Designate a focal node that is automatically centered and highlighted during analysis for easy reference.
    • Add Relationship: Define complex associations (one-to-many, many-to-one, many-to-many) between nodes.
    • Show Details: View detailed node attributes and related data.
    • Open Record: Open the node’s record in a new browser tab for multitasking.
    • Remove from Canvas: Delete selected nodes from the current view.
    • Fetch Related Records: Import related records to the canvas efficiently, with bulk add and expand options to improve usability. This feature excludes new nodes and restricts internal intelligence to observables and vulnerabilities.
    • Edit Timeline Events: Add or update timeline events on applicable nodes to enrich investigative context (not available for new or internal intelligence nodes or newly linked canvases).

    Edge Actions

    • Edit: Modify labels on edges to clarify relationships.
    • Remove: Delete connections between nodes as needed.

    Toolbar Actions

    • Zoom In/Out & Fit to Screen: Control canvas view for better focus and navigation.
    • Export Map: Export the canvas as PDF or image formats for sharing or documentation.
    • Refresh: Reload canvas data from the library, with warning to save changes beforehand to avoid data loss.
    • Clear Canvas: Temporarily remove all nodes with confirmation to simplify starting fresh.
    • Legend: View visual representation of node types, entity categories, and internal intelligence present on the canvas for quick orientation.

    Grouping and Ungrouping Nodes

    Grouping organizes related nodes to reduce canvas clutter and streamline investigations:

    • Nodes with a single parent can be collapsed into groups, hiding subordinate nodes and connections.
    • Ungrouping reveals previously hidden nodes and connections.
    • New nodes or fetched related records automatically expand relevant groups for immediate visibility.
    • Grouped nodes support key actions such as showing details and removal, while filtering respects grouping rules by hiding entire groups when applied.
    • Grouping improves navigation and analysis efficiency during complex investigations by managing visual complexity.

    By leveraging these comprehensive actions, ServiceNow customers can effectively manage and analyze complex case data on the Investigation Canvas, ensuring clarity, collaboration, and real-time awareness throughout the investigative process.

    This section describes the various actions that you can perform on the investigation canvas.

    Investigation canvas includes:
    1. Form actions
    2. Graph actions
    3. Node actions
    4. Edge actions
    5. Toolbar actions
    Figure 1. Investigation Canvas
    TISC Investigation canvas view.
    Table 1. Investigation canvas Form actions
    Action Operation
    Link Case Allows you to link case on the investigation canvas.
    Unlink Case Allows you to unlink the case on the investigation canvas.
    Save Option to save the case record.
    Duplicate Option to duplicate the nodes and edges on the investigation canvas.
    Delete Option to delete the canvas.
    Whenever a record is deleted from the backend or library, the same record is automatically removed from all active canvases. Also, a message is posted on the activity stream with node type, node value, and a notification that the record was deleted from the library and removed from the canvas.
    Note:
    The activity stream provides real time notifications of the deletions, keeping all the analysts aware of changes on the canvas.
    Table 2. Investigation canvas Graph actions
    Action Operation
    Find on map Allows you to search through different nodes and edges.
    Canvas Filter

    The Filter functionality helps you refine your view on the investigation canvas.

    For example, if you filter out a record type such as Campaign, it is temporarily removed from the canvas display.

    By applying filters, you can control which types of entities or records are shown on the map, enabling a cleaner and more focused investigation experience.
    Note:
    Use filters to highlight only the most relevant nodes such as observables or threat actors or internal intelligence records while temporarily hiding less critical information on the canvas.
    Save Canvas Allows you to save the investigation canvas.
    Add Data to Library This option allows you to add data to the library.

    All the changes made on the canvas including the new nodes, new links between nodes, and any edited or modified edge labels will be saved to the library.

    All nodes currently present on the canvas will be added as artifacts to the linked case.

    A confirmation message will be displayed once the data is successfully saved to the library.
    Add From Library This action will add the threat intelligence library data and also establish the relationship between the new node imported from the threat intelligence library and the existing nodes on the investigation canvas.
    Add From Case Artifacts Allows you to add data from corresponding case artifacts that is linked to the canvas.
    Unlink Canvas When an investigation canvas is linked to a case and opened from the case view then this option allows you to remove the association between the investigation canvas and the case.

    The canvas remains available in the application, but it is no longer linked to the current case.
    Rename When an investigation canvas is linked to a case and opened from the case view then this option allows you to rename the investigation canvas from the case.
    Mark as Closed When an investigation canvas is linked to a case and opened from the case view then this option allows to set the investigation canvas record to Closed from the case.

    This action is typically used when the investigation for that canvas is complete and no further updates are expected.
    Add New Node Allows you to add new entities, including observables or objects, from the investigation canvas.
    Add From Internal Intelligence Allows you to add internal intelligence from systems, applications, and security tools to the Investigation Canvas.
    Table 3. Investigation Canvas Node actions
    Action Operation
    Mark as Home Node This option allows you to mark a specific node as the home node on the Investigation Canvas.

    When pivoting during analysis, the application automatically highlights and centers the home node, bringing it into focus at the center of the canvas.

    The focused node is visually emphasized through:
    • A distinct border
    • Highlighting
    • A subtle circular motion animation
    This makes it easier to identify and explore the canvas data related to the primary focus of your investigation.
    Add Relationship This option allows you to add custom relationships between nodes on the Investigation Canvas. You can define relationship types such as:
    • One-to-many
    • Many-to-one
    • Many-to-many
    This helps represent complex associations between entities.
    Show Details This option allows you to view detailed information about the selected node on the Investigation Canvas, including its attributes and any associated observables or relationships.
    Open Record This option allows you to open the selected record in a new browser tab for easier reference and multitasking.
    Remove from Canvas This option allows you to remove one or multiple selected nodes from the investigation canvas, effectively deleting them from the current view.
    Fetch Related Records This option allows you to fetch related records for a specific node and add them directly to the investigation canvas using the Fetching Related Records for dialogue box.
    Important:
    The Fetch Related Records feature is available for all object types except new nodes (the nodes that are not added to the library). Within this section, the Internal Intelligence option is restricted to Observables and Vulnerabilities only.

    In the Fetch Related Records view, a sub header presents the node type and node value to provide a clear context for the related records displayed.

    Select Add All option to automatically includes all the observables or object or internal intelligence related record types into the given selection box.

    Considering an use case here, if a Vulnerability node has no related records, then the input values are disabled and a message is displayed indicating that there are no observables to fetch.
    Note:
    The above use case applies only to observables. All other entity types will display their corresponding related records.

    For example, if there are 5 to 10 different types of related records, you will have to manually select each object type. The Add All feature streamlines this process by populating all the relevant records at once, improving the user experience. After adding records, you can remove them or select the Expand option to view the related nodes.

    However to enhance the usability, you can now select Expand All to instantly expand all the related records linked to a node, instead of manually adding or expanding the records.
    Edit Timeline Event(s) This option allows you to add/update timeline to canvas.
    Note:
    This option is not available for new node or internal intelligence nodes. This action is also not available when a new canvas is linked to a case.

    For detailed explanation on Timeline events, see Using Timeline in Investigation Canvas Adding Timeline Events to the Canvas.
    Table 4. Investigation Canvas Edge actions
    Action Operation
    Edit This option allows you to edit and modify the label of an edge on the Investigation Canvas, enabling clearer representation of relationships between nodes.
    Remove This option allows you to remove an edge from the Investigation Canvas, effectively deleting the visual connection between two nodes.
    Table 5. Investigation Canvas Toolbar icons
    Action Operation
    Zoom in Option to zoom in the investigation canvas to easily focus on specific areas of the canvas.
    Zoom out Option to zoom out the investigation canvas to easily focus on specific areas of the canvas.
    Fit to screen Option to fit the investigation canvas to the screen size.
    Export map Option to export the investigation canvas as a PDF or image (JPG or PNG) for better viewing.
    Refresh The Refresh option allows you refresh and reload the data from the library onto the Investigation Canvas.
    Note:
    A confirmation pop up notifies you that any unsaved changes on the canvas will be lost if you refresh without saving. It is recommended to save your canvas before refreshing to avoid data loss.
    Clear Canvas Allows you to clear the canvas.

    This selection will temporarily remove the nodes from the investigation canvas.

    A confirmation message is displayed, prompting you to confirm whether you want to clear the canvas. Acknowledge the message to proceed.

    Note:
    After making changes on the investigation canvas, you must Save the canvas. If the changes are not saved and if you refresh the canvas then it will revert to its previous state, and any unsaved nodes or modifications will be lost.
    Legend This option provides you a visual representation of the nodes and entities currently displayed on the Investigation Canvas. The legend includes two key views:
    • Node and Link Representation: Displays how different node types appear on the canvas and how they are connected via edges. This helps you quickly understand the structure and relationship between various elements in the investigation.
    • Entities Representation: Shows the types of entities currently present on the canvas (Observables, Indicators, and objects).
    • Internal Intelligence: Shows the internal intelligence records associated with the Canvas.

    The following illustrates the legends for node, entities, and internal intelligence representations:TISC Investigation Canvas legends representation

    Figure 2. Entities representation
    Entities representation

    Grouping or Ungrouping records from Investigation Canvas

    The grouping feature allows you to organize nodes for easier analysis. A grouping button appears next to nodes that support grouping. By default, this button displays a minus (−) icon on the Canvas, indicating that the connected nodes can be collapsed into a group.

    Any outdegree node would be considered for a group.
    Note:
    The group icon is introduced to reduce clutter on the canvas and simplify navigation during critical investigations. For nodes without additional edges (connections), the grouping button is not displayed since there are no related nodes available to group.

    The following table explains the guidelines while grouping or ungrouping the nodes:

    Action Result
    Grouping a Node
    • All child nodes with only one parent (even across multiple levels) will be hidden within the group.
    • Nodes with multiple parents remain visible, but connections from the group to them will be hidden.
    Ungrouping a Node
    • Reveals all previously hidden nodes with one parent and their connections.
    • If nodes with multiple parents were already visible, their hidden connections will also be restored.
    Importing Node/ Fetch Related records Automatically expands a collapsed group if the new node connects to a hidden node within it.
    Allowed Actions Grouped nodes support the Show Details action, which displays information about the parent node. You can also remove individual nodes from the canvas.
    Filter Filtering non-grouped nodes follows standard filtering behavior, while still respecting grouping rules.

    Filtering a grouped node hides the entire group and its child node.
    Other Actions Actions such as removing a node or modifying edges follow all grouping rules and behaviors.