Kaspersky CyberTrace

Nodes and relationships

27 February 2024

ID 222183

Each graph consists of nodes (indicators, detections, and others), and relationships connecting the nodes. Both nodes and relationships can be added to a graph manually or as a result of transformation.


A node is a single point on a graph that may be linked to other points. There are different types of nodes, such as indicators, detections, or groups. Nodes of different types are displayed on the graph with different symbols. See the description of the different node types in the table below.

Node types




URL node icon in CyberTrace.


Standard CyberTrace indicators.


Hash node icon in CyberTrace.


IP node icon in CyberTrace.


External URL node icon in CyberTrace.

External URL

External indicator (observable) received from a source other than the Kaspersky CyberTrace database.

A graph can contain an external indicator and a standard CyberTrace indicator that have the same value.

External hash node icon in CyberTrace

External Hash

External IP node icon in CyberTrace.

External IP

Action/Detections node icon in CyberTrace.


An intermediate node between other nodes. This intermediate node appears as the result of a transformation.

Detection node icon in CyberTrace.


Detection event.

Report node icon in CyberTrace.


Report that contains information about the related indicator.

Group node icon in CyberTrace.


Several nodes grouped together.


Nodes are connected to each other with relationships. Relationships can be directed or undirected.

A directed relationship can lead only to nodes of the types Action and Detections. This kind of relationship appears when Kaspersky CyberTrace performs transformation and a new relationship leads from the initial node to the node added after the transformation.

For example, if a user launches a transformation in order to find detections related to an indicator, a directed relationship may appear leading from the indicator to a node of type Detections. In turn, the undirected relationships will connect the new Detections node with nodes of type Detection.

In most cases, the undirected relationship connects two nodes that have something in common.

For example, a dangerous file can have different hashes (MD5, SHA1, and SHA256), and each of them is a separate indicator of threat. All these nodes can be connected with undirected relationships.

You can create undirected relationships manually, whereas directed relationships can only be the result of transformation.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.