Observable Graph View
In the Graph view of the IOC Panel, you can deep-dive into a selected Indicators, includling date range, extracted Indicators, and a link to the full report. You can click on any item in List view to display it in Graph view.
You can see two menu bars when you are in Graph view, both of them displayed above the actual graph.
The first menu bar includes:
- Data Range: You can select 1 day, 7 days, 1 month, 6 months, or maximum (entire date range for the item). The data range data is displayed as a bar graph, as shown in the image above.
- Labels (gear icon): Turns labels on or off (default) for the graph points.
- Download (down arrow icon): Exports the data from the Indicator.
The second menu bar offers these options:
- Filter by Indicator, sources (enclaves), or tags
- Next item from the List view
- Undo last action
- Redo the last action you undid
- Reset to the original view of the item
The main panel in this view shows a graph of the Indicator with links to Enclaves that contain that item, along with correlated Indicators and tags. The example below shows that the Indicator (corona-map-data.com, a URL) has been found three Enclaves and associated with tags and MITRE ATT&CK tags.
- A Report node represents information collected from a number of different sources, including user-reported incidents, and paid/open source threat data feeds. A report node is shown using the icon specific to the enclave where that report is stored. In the image above, the report is stored in the TruSTAR Community enclave and is represented by the TruSTAR star logo.
A Report node contains one or more Observable nodes. When two different Report nodes contain the same Observable, they are implicitly correlated to each other and you can see that connection in the lines between the Observables and the reports that contain them.
- An Observable node represents all indicators extracted from a specific Report. Observable nodes are represented with smaller icons specific to the data source.
- A Tag node represents tags applied to a Report or Observable and is visually depicted on the graph. Reports branching off the tag share the same tag, have one or more correlating Observables, and are present in the same timeline.
You can right-click on any item to see a four-part circular menu. Depending on the item, you can choose whatever items are not grayed out.
The details panel in Graphi view displays the Indicator type, when it was last seen, how many sightings (with a historical sightings graph), and what enclaves contain it. In addition, you can see the tags applied to the item, including MITRE ATT&CK tags.
The three dots in the upper right corner contain commands to:
- Search for this item.
- Whitelist this item.
- Delete this item. You can only delete it if it is not reference in any reports.
You can click the target icon next to Tags to view tags by Enclave. You can add tags to this item by selecting a tag from the dropdown list for an Enclave. Any tags you add will be visible to all members of the selected Enclave and any of those members can edit those tags. Tags you add are immediately added to the item in that enclave; there is no Save action required.
Click the target icon next to or MITRE ATT&CK to view those tags by enclave. After making changes, click the Save button to commit the changes to the selected enclave.