Reports Graph View
Clicking on an Intelligence Report in List view displays the details of that Report in the Graph view. This window provides visual links to related Reports, Enclaves, Indicators, and other information.
You can drill down on analyses, filter out irrelevant nodes, add notes or tags and adjust the timeline of correlations based on your requirements—all within a single panel. You can view the full JSON report content as well as graph visualization of correlations.
You can see two menu bars when you are in Graph view, displayed above the actual graph.
The first menu bar includes:
- Date Range: You can select 1 day, 7 days, 1 month, 6 months, or maximum (entire date range for the report). The data range data is displayed as a bar graph, as shown in the image above.
- Labels (gear icon): Turns labels on or off (default) for the constellation points.
- Download (down arrow icon): Exports the Indicator data from the Report.
The second menu bar offers these options:
- Filter by Indicators, sources (Enclaves), or tags
- Next Report from the List view
- Undo last action
- Redo the last action you undid
- Reset to the original view of the Report
The main panel in this view shows a graph of the Report with links to Indicators and tags from the Report. The example below the original Report surrounded by links to tags, URLs, and other Indicators found in the Report.
- A Report node represents information collected from a number of different sources, including user-reported incidents, and intelligence sources. A Report node is shown using the icon specific to the Enclave where that report is stored. In the image above, the report is stored in the TruSTAR Community Enclave and is represented by TruSTAR's blue star logo.
- An IoC node represents all Indicators extracted from a specific Report. These nodes are represented with smaller icons specific to the data source.
- A Tag node represents tags applied to a Report or Indicator and is visually depicted on the graph. Reports branching off the tag share the same tag, have at least one correlating Indicator, and are present in the same timeline.
A Report node contains one or more IoC nodes. When two different Report nodes contain the same Indicators, they are implicitly correlated to each other and you can see that connection in the lines between the Indicators and the Reports that contain them.
You can right-click on any item to see a four-part circular menu. Depending on the item, you can choose whatever items are not grayed out.
The details panel on the left side of Graph view displays information in three different sections: Breadcrumb Trail, Report Metadata, and Extracted Indicators.
Above the report header, the Breadcrumb Trail is a convenient way to track the previous detail pages you've visited while navigating a graph.
Clicking on a graph node will append it to the left hand side of the breadcrumb trail, allowing you to quickly go back to that node by clicking on its respective breadcrumb.
Watch it in action:
The next section displays the metadata for the Report, including Report Title, date submitted and date last updated, and which Enclave it is stored in.
To view the entire Report, click View Full Report.
The three dots in the upper right corner contain commands to:
- Update the Report (if you have permission to write to that Enclave)
- Copy the Report to another enclave
- Move the Report to another enclave
- Export the Report
The Expand icon (four arrows) displays the full Report data. It also hides the Extracted Indicators section.
The Report Summary shows a tabular format of the most relevant extracted details. These will vary from source to source and will could include details like risk or confidence score, actors associated, malware families associated, kill chain stages, relations reported etc. The goal is to display details that analysts would find most relevant to their analysis.
You can click the target icon next to Tags to view tags by enclave. You can add tags to this Report by selecting a tag from the dropdown list for an Enclave. Any tags you add will be visible to all viewers of the selected Enclave and editable by all viewer of that Enclave. Tags you add are immediately added to the Report; there is no Save action required. Tags are limited to 32 characters.
Click the target icon next to MITRE ATT&CK to view those tags by enclave. After making changes, click the Save button to commit the changes to the selected enclave.
Viewing Extracted Indicators
The bottom section of the Details panel shows the list of Indicators extracted from the Report and a count of how many were extracted.
You can use the icons to manipulate the display:
- The A-Z icon reverses the sort direction of the list.
- The Search icon and text field locates instances of a specific term.
- The Eye icon whitelists selected Indicators. To use it, click the icon and then click the eye icon next to the Indicator you want to add to the whitelist.
- The Expand icon (four arrows) shows the entire list of extracted Indicators and hides the Report Details section.
Extracted Indicator - Card Front Side
All extracted Indicators are shown as individual information cards.
The logo of the intelligence source will be displayed along with any risk score/confidence score/malicious score provided by the source. The type and value of the Indicator is also shown. On the right, you see two controls:
- the top control lets you flip the card to see its backside
- the bottom control shows the Indicator in graph view.
Extracted Indicator - Card Back Side
The back side of each Indicator card displays details of last seen, number of sightings, and number of user-generated notes for that Indicator.
On the right, you see two controls:
- the top control lets you flip the card to see its front side
- the bottom control shows the Indicator in graph view.