Introduction

This tutorial introduces Maltego "collections" and explores a use case thereof. This tutorial appears the first time a collection node is formed, but can also be
opened from the "Show Collections Tutorial" button on the "Collections" tab of the ribbon.

A note on semantics: "collections" and "collection nodes" are used interchangeably in this tutorial.

Contents
Overview
Levels of Simplification
Navigating the Collection
Pin/Unpin Entities
Exploring with the "Detail View" list

Overview

Introduced in Maltego 4, collections aim to clean up the graph by grouping 'similar' entities, making it easier to view portions of the graph and find the key
relationships you are looking for. The underlying collection rules all adhere to the following criteria:

1. Only entities of the same type may be collected together in a single collection,
2. Entities that are pinned (pinned to the graph) may not be collected,
3. A minimum entity limit exists which must be satisfied for a collection node to form, i.e. a collection node may not contain less than the minimum
limit of entities.

The image below shows the controls on the "Collections" tab of the ribbon as configured for a fresh install of Maltego.

Collections are enabled by default and may be toggled off/on by pressing the "Disable/Enable Collections" button. On the "Simplify Graph" section a slider
and spinner work in tandem to control the level of graph simplification. The numbers on the slider and that of the spinner correspond, designating the minimum
number of entities that any collection node may contain. Dragging the slider to the left decreases this global minimum entity limit for collections, thereby
increasing the amount of graph simplification. The "Show Collections Tutorial" button shows this tutorial, whereas the "Select Collections" button selects all
the collection nodes on the current graph.

Levels of Simplification

A typical use case for using collection nodes is analysing Twitter followers. The image below shows the "Detail View" for 3 different Twitter accounts for which
their followers where found, sorted alphabetically according to the entity name. Since transforms were run on these entities as input, none of them have
incoming links. "Paterva" has the highest number of Twitter followers (outgoing links) among the 3 entities, with 3432, which according to the transform rules
resulted in a weight of 100.

With collections disabled (and for pre-Maltego4 versions), the graph output looks similar to the image below when in organic layout (zoomed to 2%). The
graph consists of 4164 entities (4489 links in total), making it difficult to visualise the interesting relationships and common followers without having to
continuously zoom in and out of the graph.

With collections enabled and the slider in its default position of 25 entities, the graph output looks as follows in circular layout (zoomed to 15%).

Notice the circular entities (uncollected) and square collection nodes. Dragging the slider to the far left for the greatest amount of graph simplification, renders
the graph as follows (zoomed to 100%). The graph is now simpler and much easier to work with.

Navigating the Collection

With the collection node containing 269 entities selected (designated by "269" in the collection node heading on the graph), the selected entities can be
viewed in list form in the "Detail View", and sorted according to various columns (multi-column sorting is also supported using the Shift key in conjunction with
mouse clicks on the column headings). Hovering over or clicking on the entities in this list shows the relevant entity properties in the "Property View".

Clicking on the icon in the "Inspect" column in the image above (shown by the orange plus (+) sign), shows in-depth details of that single entity (image below).
Double-clicking on the Twitter user icon in the image below, will open the "Details" dialog. Clicking on the "Back To List" button (or right-clicking inside the
"Detail View" component) in the image below, returns to the "Detail View" list of the entities in the collection node as in the image above.

By double-clicking on the entity name in the "Detail View" list (or clicking on the icon in the "Collected" column which shows the number of entities in the
collection node), the graph will automatically pan and zoom to the selected entity, briefly flashing the entity inside the collection node in white as in the image
below.

Pin/Unpin Entities

Collections are simply visual elements -- if an entity is of specific interest and it must not be grouped within the collection node, one can press on the pin icon
of that entity, either on the graph's collection component (as in the image below) or in the "Detail View" list. Having multiple entities selected and then clicking
on the pin icon will pin all selected entities to the graph (uncollect from collection). Alternatively all entities in a collection can be pinned to the graph by clicking
the larger pin icon in the collection component heading (seen as a very faint overlay in the top-right corner of the image below).

By clicking on the pin icon with only the "Black Hat" entity selected, this isolates the entity from the collection node, essentially pinning the entity to the graph
(see image below). Other rules for exclusion from a collection node are if the entity has attachments or notes. When dragging entities onto the graph, they
are pinned by default.

If the orange pin icon of a pinned entity, such as the "Black Hat" entity below, is clicked to unpin the entity from the graph, the entity becomes available to be
collected, and will only be collected should it satisfy the criteria outlined in the overview (top of page), and share relationships with (i.e. are 'similar' to) other
entities of the same type. Typically this will boil down to whether it is linked to (shares) common parent and child entities, although the rules can understandably
become quite complex for heavily meshed graphs.

Exploring with the "Detail View" list

With collection nodes there is the same functionality that has always been in Maltego. For instance, one can find entities on the graph containing certain
word(s), whether they form part of a collection node or not, by using the "Quick Find" functionality on the "Investigate" tab of the ribbon.

Alternatively, when using the "Detail View" list with the "269" collection node selected, the "Black Hat" entity can be pinned to the graph from this listed view,
which would uncollect it but still keep it among the selected entities displayed in the list. The list entities can then further be filtered according to entities
containing the word "black" in them as in the image below. As can be seen by the text inside the icon in the "Collected" column, the collection node now only
contains 268 entities, and the pinned "Black Hat" entity is displayed as a normal (circle) entity.

While on the graph all 269 entities of the original collection node are still selected, the "Detail View" list only shows the 2 filtered entities. By clearing the filter
textfield, all 269 entities will again be displayed within the list. Alternatively, by selecting the 2 list entities in the image above, and clicking on the "Sync
Selection to Graph" button to the left of the filter textfield, the graph selection changes to only these 2 entities and will be displayed as in the image below.

Solid orange borders signify full selection (all entities within the visual element selected), while a dashed orange border (as for the "268" collection node
above), signifies partial selection. The collection node heading in this case indicates that only 1 of the 268 entities within the collection node is selected. Since
pinned entities (and other entities not in collection nodes) only represent a single entity, these entities can therefore never be in a state of partial selection.
Transforms can also be run within the "Detail View" list using the context menu (on either single or multiple entities). Simply select the entities in the "Detail
View" list, right-click to invoke the context menu (see image below), and run transforms as usual.