How To Read TruSTAR's Graph Visualization

Updated 5 months ago by Shimon Modi

At TruSTAR we are constantly trying to make incident exchange and collaboration easier for security operators and analysts. The top priority for security operators using the TruSTAR platform is to enrich incidents they are investigating and find relevant, actionable correlations with other reports.

To that effect our data science team has made intuitive graph visualizations and reporting a cornerstone of our platform. In this blog we discuss how to use TruSTAR’s graph capabilities for improving your analysis.

Reports, Indicators of Compromise (IoC), and Tags

Data submitted to TruSTAR is converted into a graph data model users can easily manipulate and explore (see image below). We call TruSTAR graphs “Constellations.” All of our data can be categorized into two node types : Report and IoC.

  • Report node represents information collected from a number of different sources, including user-reported incidents, and paid/open source threat data feeds. Report nodes are represented with the blue TruSTAR icon.
  • An IoC node represents all indicators extracted from a specific ReportIoC nodes are represented with smaller icons specific to the data source.
  • A Tag node represents tags applied to a report or IoC and is visually depicted on the graph. Reports branching off the tag share the same tag, have a correlating IoC(s), and are present in the same timeline. 

So, effectively, you can say that a Report node contains one or more IoC nodes. When two different Report nodes contain the same indicators they are implicitly correlated to each other.

In the above graph all the blue nodes are Reports submitted to TruSTAR. You can see that multiple Reports are connected through an IoC.

Intuitively this tells you that this cluster is enriching the Report in the center with the white star. We also pull information open source and closed source intelligence based on your Marketplace subscriptions. These are also shown on the graph if there is a correlation with any of these sources.

On the TruSTAR platform you can click on the various Reports and read the underlying data context to better understand these connections. 

Please note that CVE's, Threat Actors, and Malware correlations will be defaulted to hiding second-order correlations in an effort to reduce the noise on the constellation graph.

Additional Analysis Capabilities

We also allow you to drill down on a specific Report node by double clicking on it. There is a timeline filter which allows you to specify the time period of interest for your analysis. You can delete specific nodes from the visualization and undo your actions.

How Did We Do?