The graph sidebar is always found on the left-hand side of your graph window. It allows you to configure various view and layout options for your Maltego graphs. The image below provides labels for each of the items in the layout sidebar:
Graph Controls (1-3)
1. Full Screen Mode: Presents your Maltego Graph (Desktop) investigation screen in full screen mode. Alt + Enter pressed together on your keyboard will also enter full screen mode. Exit full screen mode by pressing Alt + Enter again on your keyboard.
2. Lock Layout: Locks all Entities that are currently on the graph from moving when Transforms return. The new Entities that are returned by Transforms will still be laid out.
3. Full vs Incremental Layout: This option should be used during collaborative sessions when you want to preserve your graph layout.
Layouts (4-8)
4. Block Layout
In this layout, nodes are shown using the following rules:
- Lowest level in hierarchy is shown in a block
- Sorted by Entity type and then Entity weight
An Entities' relevance is represented by the Entities' "weight". For example, Entities that are returned from any of the search engine Transforms will be weighted according to how relevant they are (their page rank).
The image below shows an example of block layout:
5. Hierarchical Layout
In hierarchical layout, Entities are grouped by layers that are stacked on top of each other. Think of this as a tree based layout – like a file manager.
6. Circular Layout
Nodes that are most central to the graph (e.g. most links) appear in the middle of circles with the other nodes scattered around it.
7. Organic Layout
In organic layout, nodes are packed tight together in such a way that the distance between each Entity and all the other Entities are minimized. The closer the Entities are to each other - the more connected they are.
8. Interactive Organic
This layout is a lot like the organic layout. Entities are positioned according to how connected they are to the rest of the graph.
The two differences between organic and interactive organic are:
- When new Entities are returned to the graph, only Entities that are closely connected to the returned Entities are moved instead of the Entire graph laying out every time new results are returned. For this reason, putting a graph into interactive organic layout will improve performance when dealing with larger graphs as less layout computation is required.
- Entities are not as tightly packed to each other as they are in organic layout.
The graph below shows the same graph as above, but in interactive organic layout. It can clearly be seen that the Entities are less tightly packed.
Freezing and Refreshing (9-10)
9. Freezing Graph
The freeze button is used when you have many nodes that are coming into the graph (e.g. running a lot of Transforms on many nodes) and don’t wish for the layout to be constantly updating. By delaying the layout, the application can process Transforms faster as it does not need to update the display after every Transform.
To unfreeze the graph simply press the same button and the graph will resume as normal.
10. Refresh Graph
Enabled when your graph is frozen and new Entities have been returned. Allows you to manually refresh the graph layout.
Views (11-18)
The next section in the layout sidebar is under View. Views are used to extract non-obvious information from large graphs – where the analyst cannot see clear relationships by manual inspection of data. Views can be used to determine the size and color of Entities based on different properties of the graph. It is possible to write your own views however is beyond the scope of this document. The seven views that come with Maltego out-the-box size Entities according to different properties and are explained below.
11. Normal View
When you are zoomed in close to Entities, the Entity icon will be rendered on the graph. When you zoom out to the Legend View, each Entity is represented by the same sized ball with a color that corresponds to the Entity type. This view is the default view when you start a new graph.
12. List View
The List View can be used as an alternative to the above Entity views as a way to view graph information in a tabular layout.
The behavior of the List View is the same as an Entity View. Items selected in the List View will appear in the Detail View.
The Entity selection behavior and functionality is identical between the Entity view and the list view. Changing from "Entity Selection" to "Link Selection" will display all the graph links in a List View instead of the Entities themselves.
In addition, the List View presents a Time Column. The Time Column is automatically shown when at least one (1) of the Entities has at least one (1) ‘temporal’ (time-related) property.
- Temporal property = date, datetime, daterange, date array.
- Display and copy is in the format yyyy-MM-dd HH:mm:ss.S Z.
- The Time column is not relevant to Graph Links.
- Only the start date is used for a property of type date-range.
- Oldest date is used when an Entity has multiple temporal properties, while the epoch date is ignored.
- The Time Column is hidden entirely if no Entity has a temporal property.
13. Diverse Descent
With diverse descent, Entities are sized according to the number of incoming links the Entity has. However, incoming links with different grandparent Entities are weighted higher. This is better explained with a graph.
In the image above, the IP address Entities are sized differently even though they both have two incoming links. The reason for this is that the IP address on the left has two incoming links that originate from two different sources while the IP address on the right has two incoming links but they both originate from the same source. There are many cases where this view is useful. In this case, it emphasizes IP addresses that are related to different domains.
14. Ball Size by All Links (Total Number of Links)
Entities are sized according to the total number of links (incoming and outgoing) it has. The more links an Entity has the bigger it is sized on the graph. The graph below shows the example graph using this view:
15. Ball Size by Incoming Links
Entities are sized according to the total number of incoming links they have. The more incoming links an Entity has - the bigger it is sized on the graph. The graph below shows the example graph using this view:
16. Ball size by Outgoing Links
Entities are sized according to the total number of outgoing links they have. The more outgoing links an Entity has - the bigger it is sized on the graph. The graph below shows the example graph using this view:
17. Ball Size by Entity Rank
This view will size Entities based on its own number of links and the sum of its neighbor's links. The graph below shows the example graph using this view:
18. Ball Size by Entity Weight
This view will size Entities based on the Entity’s weight. Some Transforms (such as the search engine ones) return a weight field that represents the relevance of the Entity. The graph below shows the results of a search engine Transform. As you can see from the graph, in block layout, the Entities are ordered according to their weight.