UI Guides

Graphistry Setup

REST APIs

PowerBI

- 10 minutes to PowerBI

Python Notebooks & API

- PyGraphistry Homepage (GitHub)

- PyGraphistry API (ReadTheDocs)

- Jupyter Notebook Examples (GitHub)

- Pygraphistry Databricks Examples (GitHub)

- Graph Algorithms

Visual Playbooks

- Connectors

- Pivots

- Templates

JavaScript Libraries

- React - Storybook

- React - API

- Browser JS - Storybook

- Browser JS - Example

- Browser JS - API

- Node.js - API

Templates Introduction

Investigation templates bring a lightweight form of automation to investigations. They work just like regular investigations, except they add a few key features that, combined with existing investigation features, unlock useful workflows.

For even friendlier templates that analysts are more comfortable tweaking, consider replacing individual base pivots with custom pivots.

Sample workflows

  • In-tool: Create a base template such as for looking at an account, and instantiate whenever you are investigating a new account
  • From an alert email or dashboard: Include a link to a 360 view for that alert or involved entities, and center it on the time range of the incident
  • Splunk UI: Teach Splunk to include 360 views whenever it mentions an account, IP, or alert

Create a template

Any investigation can be reused as a template. From an investigation (or `save-a-copy` of one), in the investigation details, check `Template`. When you save and return to the content home, it should have moved into the top `Templates` section.

Manual: Instantiate a template

From the content home, navigate to your template, and press the `new` button. This will create a new investigation that is based off of the most recent version of the template, similar to how `clone` works on an investigation. Editing a template keeps past investigations safe and untouched.

Best practices

Manual data for first step

By making the first step an `Enter data` one, most of the parameters can be set on it. The URL generates an initial graph, and subsequent steps expand on them.

Multiple entry points

You can likely combine multiple templates into one. For example, in IT scenarios, 360 views for IP's, MAC addresses, and host names likely look the same. Make the first step create a graph for one or more of these, the next ones derive one value type from the other (or a canonical ID), and the remaining steps look the same.

Set time range and provide instructions

Analysts unfamiliar with your template would strongly benefit from instructions telling them what to modify (if anything) and how to use the investigation. Many options likely have sane defaults on a per-template basis, such as the time range, so we recommend including them in your URLs.

Naming

Content management can become an issue. Use a custom short description name, such as `name=%5BPhone%20360%5D%20555-5555` (=> `[Phone 360] 555-5555`. The generated investigations can now be easily searched and sorted.

Cross-linking

You can include templates as links within templates! For example, whenever a phone number node is generated, you can include attribute `link` with value `/pivot/template?investigation=...` .

Further reading

Continue on to: