Data investigation tools can allow cyber-analysts to make decisions based on information that is available from one or more data sources related to investigations. Analysts performing investigations based on one or more available data sources may manually correlate information, discern relationships, and gather insights about entities, events, and relationships between said entities and/or events. These investigations may be used to help an analyst identify and characterize cyber-threats, but manual methods are time consuming.
With the Noblis patented system, data investigations are performed by querying a plurality of data sources. A system receives an investigation input and queries a plurality of data sources in accordance with the received input. The system receives, in response to the querying, response data from the plurality of data sources, and generates and stores a data structure representing relationships between the first investigation input and the first response data. The data structure may be in the form of a knowledge graph. The system may generate and display a visualization of the data structure. The system may generate and store a record of investigation steps used to generate the data structure, such that the investigation steps may be applied in future instances, for example using different inputs, to generate new data structures.