Skip to main content
Version: 2.12.X

Using Link Analysis

The Link Analysis widget constructs charts visualizing networks of events. These charts show relationships between entities and help identify key nodes of interest or create insights about relationships. When combined with temporal analysis, charts also help illustrate how the network and relationships have changed over time.

A link chart requires entity and linkage event types, and is constructed automatically by patterns in Authoring that determine when and how entities are linked via linkage events.

It is possible for an entity to connect only through linkage events.

Assumptions

This guide assumes:

  • That data containing entity and linkage events has been ingested into Workstation with valid linkages.
  • That the Link Analysis widget is open in a working view.

Exploring link charts helps develop a deeper understanding of a network of events. Analysts may use simple controls or carry out advanced actions to glean more detail from the Link Analysis widget.

To view link charts between events:

  1. From an open view containing a Link Analysis widget, drag an entity or linkage event into the Link Analysis.
    • The style of each node and edge is determined by event decorations assigned to each event type.
    • If an event has a risk score, a small glyph is shown on each node that is color-coded to its risk level. Risk 0-24 is green, 25-49 is yellow, 50-74 is orange, and 75-100 is red.
  2. Four zones exist within the link analysis, each representing different query depths. Zone 1 queries the immediate links of the event dropped, zone 2 queries an additional layer deeper, and so on.

Note

For massive link graphs, it is recommended to start with a query depth of 1

  1. A link chart is constructed.
  2. Drag additional events onto the Link Analysis widget, or query additional links from any plotted node to build out the link chart further.
    • A glyph on each node shows the number of connections it has beneath the current level to indicate network size.
    • Double-click nodes to query one additional level in depth. Each node expands to show all connected nodes one level deeper into the network.

Basic Controls

Navigating around the Link Analysis widget usually involves panning to new areas, selecting or studying multiple nodes, and zooming into nodes or groups for deeper analysis.

At the upper left of the Link Analysis widget, find the following controls:

  • A circle containing up, down, left, and right arrows:
    • Click the corresponding arrow to pan the link analysis screen up, down, left, or right.
    • Alternatively, click and drag the background to pan the chart.
  • Click the middle circle of the arrow to return to the default link chart state. The middle circle also returns zoomed in or out charts to their default state.
  • A square icon with a hand (✋) or pointer icon (⬉) toggles the mouse cursor to be a pointer or a drag.
    • When in drag mode, (✋), click and drag the chart to move icons or the view.
    • When in pointer mode, (⬉), click and drag a box to select multiple nodes.
  • Click and drag the vertical slider to zoom in or out of the chart. Alternatively, use the scroll wheel to zoom in and out.

Interacting With Nodes

Each Workstation node has several associated features. The following list provides an overview of how to access them:

  • Click and drag events to reposition nodes on the chart. The chart expands and moves links as changes are made.
  • Right-click the background of the widget to open a context menu with several options:
    • Expand All expands all nodes (if there are certain nodes manually collapsed).
    • Cleanup Layout resets the views layout.
  • Right-click an entity event to open a context menu with the following controls:
    • Group Selected groups all selected nodes and collapses them into a single summary node. Double click the summary node to see its contents.
    • Group with Neighbors collapses the selected node into nearby nodes.
    • Remove Event removes the event from the view.
      • Press SHIFT + left click to select additional nodes, or use the mouse control to select multiple nodes.
      • Right click and select Remove Selected to remove all selected nodes.
      • Right click and select Remove all "event" Event Types, where "event" is the name of the event type, to remove all nodes that share the same event type.
    • Restart with Event is a shortcut for "Clear All Events" and dropping this event.
    • Show Near Links queries the node for its immediate neighbor.
    • Show Deep Links queries the node for neighbors 6-levels deep.
    • Send to sends the entity or linkage to an open Object Details Viewer. Select one from a list of open Object Details Viewer widgets if multiple instances of this widget exist.
  • Right-click a node to open a context menu with the Send to option. This sends the entity or linkage to an open Object Details Viewer. Select one from a list of open Object Details Viewer widgets if multiple instances of this widget exist.
  • If nodes are collapsed, double-click a group to show its contents. If nodes are expanded, double-click to hide them.

Viewing Neighbor Nodes

Connections between neighboring nodes can be viewed even when they are spread across a link chart.

To view neighbor nodes:

  1. From an open view containing a Link Analysis widget with a link chart constructed, left click a single node to view its immediate neighbor nodes.
    1. Press SHIFT + left click an additional node.
    2. Cogynt highlights all linkages between the selected nodes and dims all unrelated linkages. A dotted line between two selected nodes denotes the shortest connection between them. This line only appears when no more than two nodes are selected.
  2. Left click the background of the link analysis widget to clear all selected neighbor nodes.

Settings determine what the link chart shows, how entities can be grouped, and options affecting how the chart is visualized.

These options include:

  • Layout options include:
    • Standard charts contain nodes with consistent lengths, minimal edge overlap, and even distribution.
    • Organic charts feature larger components surrounded by a circle of smaller components to minimize whitespace and overlap.
    • Lens charts push highly connected nodes to the center of the chart, with less connected nodes outside.
    • Structural charts are similar to standard charts, but structural charts group nodes by similarity.
    • Tweak charts prevent node additions from subtly changing chart layout. This is useful for datasets consisting of 2,000 nodes or more.

Note

Grouping requires entity and linkage events with groupable data. Any nodes that do not have a field value for the field used in grouping will display outside the grouping.

  • Group By allows the selection of fields for grouping nodes.
    • Grouped nodes render as a summary node containing a count of all grouped events.
    • Double click to expand or collapse a group.
    • Multiple field selection is possible, but the order of fields toggled affects the order/level of grouping.

Info

The link chart may become non-performant at a high volume of data (20,000+ nodes). It is recommended to minimally utilize the Group By event definition to maintain performance at high volumes of data.

  • Show Entities allows analysts to hide or show entity nodes of a particular event type.
  • Show Linkage Events allows hiding or showing linkage event nodes of a particular event type.
  • Node Spacing manually adjusts the spacing of nodes. Lower values decrease the space between nodes, while higher values increase the space.
  • Chart Sizing allows the user to pick the sizing of nodes to use an automatic social network analysis algorithm or manual mode:
    • Betweeness measures the number of times a given node lies on the shortest path between other nodes, resizing nodes to indicate bridges between nodes in a network.
    • Closeness calculates the shortest paths between all nodes, and then assigns each node a score based on the sum of shortest paths from that node. The node's size reflects this score.
    • Degree centrality adjusts node size based on number of links the given node holds, providing a glimpse of one-hop connections to other nodes in the network.
    • Eigencentrality measures a node's influence based on the number of links it has to other nodes within the network, as well as that node's extended connections. Useful for visualizing the influence of a given node.
    • Page Rank functions similar to Eigencentrality, but takes link direction and weight into account. Useful for uncovering nodes with influence beyond any nodes directly connected to it.
    • Manual Sizing is the default selection where nodes are sized based on user defined settings such as entity or link node size.
  • Entity Node Size manually adjusts the size of entity nodes. Lower values decrease the size of the node, while higher values increase the node's size.
  • Link Node Size manually adjusts the size of link nodes. Lower values decrease link node size, while higher values increase link node size.
  • Combine Links attempts to aggregate linkage events between entities based on the number of occurrences of each linkage event between entities.

    Note

    This feature may not be helpful if the link graph contains linkage events that have more than two entities connected at once.

Did you find the information that you needed?