Research graph

Kaspersky Threat Intelligence Portal research graph is an analytical tool for visualizing relationships between various types of objects (files, web addresses, domains, or IP addresses) analyzed and detected during the research.

The information in graphs is presented as nodes (for objects) and relationships that show connection between the nodes. Each object on the research graph can be represented by only one node. Node types are described in the table below.

Research graph nodes




Node for representing an object on a research graph.


Additional node for displaying different variants of the parent object (file) node relationship to derived nodes.


Group nodes that unite several objects of the same type related to one parent object (for example, a group of files extracted from one archive).


When the research graph represents analysis results for the object submitted to Kaspersky Threat Intelligence Portal, this object is shown as the node of the research graph. This includes group nodes for the files transferred or dropped during file execution in the Kaspersky Sandbox, groups of web addresses and domains accessed during execution.

You can create your own research graphs or edit existing graphs for the analyzed objects. Your personal limit for graphs is displayed on the GraphIcon Research Graph page. When you exceed your limit, you need to delete unnecessary research graphs or apply for a quota increase.

The research graph data is updated only based on the results of lookups initiated by the user editing the research graph.

In this section

Viewing a list of research graphs

Creating a research graph

Viewing a research graph

Renaming a research graph

Copying a research graph

Deleting a research graph

Editing a research graph

Page top