Reports Graph View

Updated 3 months ago by Elvis Hovor

Clicking on a report in List view displays the details of that report in the Graph view. This window provides visual links to related reports, enclaves, IOCs, and other information. screen with link analysis visualization.

You can drill down on analyses, filter out irrelevant nodes, add notes or tags and adjust the timeline of correlations based on your requirements—all within a single panel. You can view the full JSON report content as well as graph visualization of correlations.

You can see two menu bars when you are in Graph view, both of them displayed above the actual graph.

The first menu bar includes:

  • Date Range: You can select 1 day, 7 days, 1 month, 6 months, or maximum (entire date range for the report). The data range data is displayed as a bar graph, as shown in the image above.
  • Labels (gear icon): Turns labels on or off (default) for the constellation points.
  • Save Case (disk icon): Displays a popup where you can name and save the current report as displayed.
  • Download (down arrow icon): Exports the IOC data from the report.

The second menu bar offers these options:

  • Filter by IOCs, sources (enclaves), or tags
  • Search
  • Next report from the List view
  • Undo last action
  • Redo the last action you undid
  • Reset to the original view of the report

Graph Panel

The main panel in this view shows a graph of the report with links to IOCs and tags from the report. The example below the original report surrounded by links to tags, URLs, and other IOCs found in the report.

  • Report node represents information collected from a number of different sources, including user-reported incidents, and paid/open source threat data feeds. A report node is shown using the icon specific to the enclave where that report is stored. In the image above, the report is stored in the TruSTAR Community enclave and is represented by the TruSTAR star logo.
  • An IoC node represents all indicators extracted from a specific ReportIOC nodes are represented with smaller icons specific to the data source.
  • A Tag node represents tags applied to a report or IoC and is visually depicted on the graph. Reports branching off the tag share the same tag, have a correlating IoC(s), and are present in the same timeline. 

A Report node contains one or more IoC nodes. When two different Report nodes contain the same indicators, they are implicitly correlated to each other and you can see that connection in the lines between the IOCs and the reports that contain them.

CVEs, Threat Actors, and Malware correlations default to hiding second-order correlations to reduce the noise in Graph view.

You can right-click on any item to see a four-part circular menu. Depending on the item, you can choose whatever items are not grayed out.

Details Panel

The details panel on the left side of Graph view displays information in three different sections: Breadcrumb Trail, Report Metadata, and Extracted Indicators.

Above the report header, the Breadcrumb Trail is a convenient way to track the previous detail pages you've visited while navigating a graph.

Clicking on a graph node will append it to the left hand side of the breadcrumb trail, allowing you to quickly go back to that node by clicking on its respective breadcrumb.

Watch it in action:

Report Metadata

The next section displays the metadata for the report, including Report Title, date submitted and date last updated, which enclave it is stored in.

To view the entire report, click View Full Report.

The three dots in the upper right corner contain commands to:

The Expand icon (four arrows) displays the full report data. It also hides the Extracted Indicators section.

Report Summary

The Report Summary shows a tabular format of the most relevant extracted details. These will vary from source to source and will could include details like risk or confidence score, actors associated, malware families associated, kill chain stages, relations reported etc. The goal is to display details that analysts would find most relevant to their analysis.

Tags

You can click the target icon next to Tags to view tags by enclave. You can add tags to this report by selecting a tag from the dropdown list for an enclave. Any tags you add will be visible to all members of the selected enclave and editable by all members of that enclave. Tags you add are immediately added to the report in that enclave; there is no Save action required. Tags are limited to 32 characters.

Click the target icon next to or MITRE ATT&CK to view those tags by enclave. After making changes, click the Save button to commit the changes to the selected enclave.

Viewing Extracted Indicators

The bottom section of the Details panel shows the list of IOCs extracted from the report and a count of how many were extracted.

You can use the icons to manipulate the display:

  • The A-Z icon reverses the sort direction of the list.
  • The Search icon and text field locates instances of a specific term.
  • The Eye icon whitelists selected IOCs. To use it, click the icon and then click the eye icon next to the IOC you want to add to the whitelist.
  • The Expand icon (four arrows) shows the entire list of extracted indicators and hides the Report Details section.
Extracted Indicator - Card Front Side

All extracted indicators are shown as individual information cards.

The logo of the intelligence source will be displayed along with any risk score/confidence score/malicious score provided by the source. The type and value of the indicator is also shown. On the right, you see two controls:

  • the top control lets you flip the card to see its backside
  • the bottom control shows the indicator in the constellation view.
Extracted Indicator - Card Back Side

The back side of each indicator card displays details of last seen, number of sightings, and number of user-generated notes for that indicator.

On the right, you see two controls:

  • the top control lets you flip the card to see its front side
  • the bottom control shows the indicator in the constellation view.


How Did We Do?