Javascript is required for MOREAL Online Documentation to function properly. Please enable Javascript by adjusting your browser settings.

Network Graph

An interactive network graph showing the most significant interactions (edges) and entities (nodes) in the monitored network. The most significant interactions are derived using a proprietary algorithm we call MOREAL GraphIQ which scores, ranks and finally selects the most interesting network activities and the involved network entities. In simple terms, the graph is built by examining the distribution of traffic in the last 2 hours and selecting the most frequent or “surprisingly”-frequent flows (IP-IP pairs), while also assigning more weight to the interactions having IPS threats and MOREAL alerts. For more information refer to the GraphIQ technical article.

Example of a Branch-level Network Graph

The network graph is currently refreshed every 15 minutes and is computed using the traffic activity, IPS threats and MOREAL alerts occurring in a 2-hours (sliding) window.

Graph aesthetics

The graph is decorated with meaningful aesthetics which help you distinguish the entities and their interactions by their type, magnitude and criticality. More specifically:

  • Node icon – currently, there are 4 classes of entities which are depicted with a different icon:
    • The managed assets are depicted with a “server rack” icon
    • Security and network appliances with a “network” icon
    • Other private IPs which are not assets are depicted with a “user” icon
    • Public IPs are depicted with an “earth/globe” icon
  • Node and edge colors – The nodes and edges are colored using a “heat” scale which expresses the criticality (severity) of the associated events. The criticality of activities without MOREAL alerts or IPS threats is “0” (zero) and therefore these nodes and edges are depicted with a neutral gray color. Entities and edges with MOREAL alerts and/or IPS threats have a severity ranging from 1 to 4 and they are colored accordingly ranging from “yellow” (criticality: 1) to “red” (criticality: 4).
  • Node size (diameter) – Expresses the absolute number of total events this entity participates in, weighted by the number of distinct edges. In simple terms, expect nodes with a large number of flows (especially with multiple distinct flows) to be the most prominent in this graph.
  • Edge width – Expresses the absolute number of total events between the two linked entities weighted by their importance and criticality. In simple terms, expect more frequent communications and more critical ones to slightly “pop out” from the rest of the edges.
  • Edge arrow – Indicates the direction of the IP flow (i.e. source/destination IP).


You can interact with the graph in the following ways:

  • Hovering over a node or edge will display further information about this entity (node) or activity (edge). More specifically:
    • the IP addresses of the involved entities (or their short names if they are managed assets),
    • the number of total events (including network connections, MOREAL alerts and IPS threats) among the significant entities,
    • the number of MOREAL alerts among the involved entities in this graph, and
    • the number of IPS threats related to the displayed entities
  • For assets and entities with a privately assigned IP address, the title (IP address or name) is clickable. You can use the associated link to navigate to the IP profile of this entity.
  • Double-clicking in a specific node will select this node and its immediate “neighbors” and hide the rest of the graph. This may help you focus in a specific part of the network for further analysis.
  • Zooming in and out in specific parts of the graph is also supported by using the mouse/touchpad scroll function. Moving around in the zoomed-in graph is performed by clicking & dragging in any empty space of the graph.