IOC Graph View

Updated 4 months ago by Elvis Hovor

In the Graph view of the IOC Panel, you can deep-dive into a selected IOC, includling date range, extracted indicators, and a link to the full report. You can click on any IOC in List view to display that IOC in Graph view.

You can see two menu bars when you are in Graph view, both of them displayed above the actual graph.

The first menu bar includes:

  • Data Range: You can select 1 day, 7 days, 1 month, 6 months, or maximum (entire date range for the IOC). The data range data is displayed as a bar graph, as shown in the image above.
  • Labels (gear icon): Turns labels on or off (default) for the graph points.
  • Save Case (disk icon): Displays a popup where you can name and save the current IOC as displayed.
  • Download (down arrow icon): Exports the data from the IOC.

The second menu bar offers these options:

  • Filter by IOCs, sources (enclaves), or tags
  • Search
  • Next IOC from the List view
  • Undo last action
  • Redo the last action you undid
  • Reset to the original view of the IOC

Graph Panel

The main panel in this view shows a graph of the IOC with links to enclaves that contain that IOC, along with correlated IOCs and tags. The example below shows that the IOC (, a URL) has been found three enclaves and associated with tags and MITRE ATT&CK tags.

  • Report node represents information collected from a number of different sources, including user-reported incidents, and paid/open source threat data feeds. A report node is shown using the icon specific to the enclave where that report is stored. In the image above, the report is stored in the TruSTAR Community enclave and is represented by the TruSTAR star logo.
  • An IoC node represents all indicators extracted from a specific ReportIoC nodes are represented with smaller icons specific to the data source.
  • A Tag node represents tags applied to a report or IoC and is visually depicted on the graph. Reports branching off the tag share the same tag, have a correlating IoC(s), and are present in the same timeline. 

A Report node contains one or more IoC nodes. When two different Report nodes contain the same indicators, they are implicitly correlated to each other and you can see that connection in the lines between the IOCs and the reports that contain them.

You can right-click on any item to see a four-part circular menu. Depending on the item, you can choose whatever items are not grayed out.

Details Panel

The details panel in Constellation view displays the IOC type, when it was last seen, how many sightings (with a historical sightings graph), and what enclaves contain this IOC. In addition, you can see the tags for the IOC, including MITRE ATT&CK tags.

The three dots in the upper right corner contain commands to:

  • Search for this IOC as an IOC or in reports.
  • Whitelist this IOC.
  • Delete this IOC. You can only delete an IOC if it is not reference in any reports.

You can click the target icon next to Tags to view tags by enclave. You can add tags to this IOC by selecting a tag from the dropdown list for an enclave. Any tags you add will be visible to all members of the selected enclave and editable by all members of that enclave. Tags you add are immediately added to the IOC in that enclave; there is no Save action required.

Click the target icon next to or MITRE ATT&CK to view those tags by enclave. After making changes, click the Save button to commit the changes to the selected enclave.

How Did We Do?