How To Read TruSTAR's Graph Visualization

by Shimon Modi

At TruSTAR we are constantly trying to make incident exchange and collaboration easier for security operators and analysts. The top priority for security operators using the TruSTAR platform is to enrich incidents they are investigating and find relevant, actionable correlations with other reports.

To that effect our data science team has made intuitive graph visualizations and reporting a cornerstone of our platform. In this blog we discuss how to use TruSTAR’s graph capabilities for improving your analysis.

Reports and Indicators of Compromise (IoC)

Data submitted to TruSTAR is converted into a graph data model users can easily manipulate and explore (see image below). We call TruSTAR graphs “Constellations.” All of our data can be categorized into two node types : Report and IoC.

  • Report node represents information collected from a number of different sources, including user-reported incidents, and paid/open source threat data feeds. Report nodes are represented with the blue TruSTAR icon.
  • An IoC node represents all indicators extracted from a specific ReportIoC nodes are represented with smaller icons specific to the data source.

So, effectively, you can say that a Report node contains one or more IoC nodes. When two different Report nodes contain the same indicators they are implicitly correlated to each other.

In the above graph all the blue nodes are Reports submitted to TruSTAR. You can see that multiple Reports are connected through an IoC.

Intuitively this tells you that this cluster is enriching the Report in the center with the white star. We also pull information open source and closed source intelligence based on your Marketplace subscriptions. These are also shown on the graph if there is a correlation with any of these sources.

On the TruSTAR platform you can click on the various Reports and read the underlying data context to better understand these connections. 

Additional Analysis Capabilities

We also allow you to drill down on a specific Report node by double clicking on it. There is a timeline filter which allows you to specify the time period of interest for your analysis. You can delete specific nodes from the visualization and undo your actions.

How Did We Do?