Reports Constellation View

Updated 3 days ago by Elvis Hovor

Clicking on a report in List view displays the details of that report in the Constellation view. This window provides visual links to related reports, enclaves, IOCs, and other information. screen with link analysis visualization.

You can drill down on analyses, filter out irrelevant nodes, add notes or tags and adjust the timeline of correlations based on your requirements—all within a single panel. You can view the full JSON report content as well as graph visualization of correlations.

You can see two menu bars when you are in Constellation view, both of them displayed above the actual constellation.

The first menu bar includes:

  • Data Range: You can select 1 day, 7 days, 1 month, 6 months, or maximum (entire date range for the report). The data range data is displayed as a bar graph, as shown in the image above.
  • Labels (gear icon): Turns labels on or off (default) for the constellation points.
  • Save Case (disk icon): Displays a popup where you can name and save the current report as displayed.
  • Download (down arrow icon): Exports the IOC data from the report.

The second menu bar offers these options:

  • Filter by IOCs, sources (enclaves), or tags
  • Search
  • Next report from the List view
  • Undo last action
  • Redo the last action you undid
  • Reset to the original view of the report

Constellation Panel

The main panel in this view shows a constellation of the report with links to IOCs and tags from the report. The example below the original report surrounded by links to tags, URLs, and other IOCs found in the report.

You can right-click on any item to see a four-part circular menu. Depending on the item, you can choose whatever items are not grayed out.

Details Panel

The details panel in Constellation view displays information in three different sections: Breadcrumb Trail, Report Metadata, and Extracted Indicators.

Above the report header, the Breadcrumb Trail is a convenient way to track the previous detail pages you've visited whilst navigating the constellation graph.

Clicking on a graph node will append it to the left hand side of the breadcrumb trail, allowing you to quickly go back to that node by clicking on its respective breadcrumb.

Watch it in action:

Report Metadata

The next section displays the metadata for the report, including Report Title, date submitted and date last updated, which enclave it is stored in.

To view the entire report, click View Full Report.

The three dots in the upper right corner contain commands to:

The Expand icon (four arrows) displays the full report data. It also hides the Extracted Indicators section.

Report Summary

The Report Summary shows a tabular format of the most relevant extracted details. These will vary from source to source and will could include details like risk or confidence score, actors associated, malware families associated, kill chain stages, relations reported etc. The goal is to display details that analysts would find most relevant to their analysis.

Tags

You can click the target icon next to Tags to view tags by enclave. You can add tags to this report by selecting a tag from the dropdown list for an enclave. Any tags you add will be visible to all members of the selected enclave and editable by all members of that enclave. Tags you add are immediately added to the report in that enclave; there is no Save action required. Tags are limited to 32 characters.

Click the target icon next to or MITRE ATT&CK to view those tags by enclave. After making changes, click the Save button to commit the changes to the selected enclave.

Viewing Extracted Indicators

The bottom section of the Details panel shows the list of IOCs extracted from the report and a count of how many were extracted.

You can use the icons to manipulate the display:

  • The A-Z icon reverses the sort direction of the list.
  • The Search icon and text field locates instances of a specific term.
  • The Eye icon whitelists selected IOCs. To use it, click the icon and then click the eye icon next to the IOC you want to add to the whitelist.
  • The Expand icon (four arrows) shows the entire list of extracted indicators and hides the Report Details section.
Extracted Indicator - Card Front Side

All extracted indicators are shown as individual information cards.

The logo of the intelligence source will be displayed along with any risk score/confidence score/malicious score provided by the source. The type and value of the indicator is also shown. On the right, you see two controls:

  • the top control lets you flip the card to see its backside
  • the bottom control shows the indicator in the constellation view.
Extracted Indicator - Card Back Side

The back side of each indicator card displays details of last seen, number of sightings, and number of user-generated notes for that indicator.

On the right, you see two controls:

  • the top control lets you flip the card to see its front side
  • the bottom control shows the indicator in the constellation view.


How Did We Do?