Observable Graph View

Updated 1 month ago by Elvis Hovor

In the Graph view of the Observables Panel, you can deep-dive into a selected Observable, includling date range, extracted Observables, and a link to the full report. You can click on any Observable in List view to display it in Graph view.

You can see two menu bars when you are in Graph view, both of them displayed above the actual graph.

The first menu bar includes:

  • Data Range: You can select 1 day, 7 days, 1 month, 6 months, or maximum (entire date range for the item). The data range data is displayed as a bar graph, as shown in the image above.
  • Labels (gear icon): Turns labels on or off (default) for the graph points.
  • Download (down arrow icon): Exports the data from the Observable.

The second menu bar offers these options:

  • Filter by Observable, sources (enclaves), or tags
  • Search
  • Next Observable from the List view
  • Undo last action
  • Redo the last action you undid
  • Reset to the original view of the Observable

Graph Panel

The main panel in this view shows a graph of the Observable with links to enclaves that contain that item, along with correlated Observables and tags. The example below shows that the Observable (corona-map-data.com, a URL) has been found three enclaves and associated with tags and MITRE ATT&CK tags.

  • Report node represents information collected from a number of different sources, including user-reported incidents, and paid/open source threat data feeds. A report node is shown using the icon specific to the enclave where that report is stored. In the image above, the report is stored in the TruSTAR Community enclave and is represented by the TruSTAR star logo.
  • An Observable node represents all indicators extracted from a specific Report. Observable nodes are represented with smaller icons specific to the data source.
  • A Tag node represents tags applied to a Report or Observable and is visually depicted on the graph. Reports branching off the tag share the same tag, have one or more correlating Observables, and are present in the same timeline. 

A Report node contains one or more Observable nodes. When two different Report nodes contain the same Observable, they are implicitly correlated to each other and you can see that connection in the lines between the Observables and the reports that contain them.

You can right-click on any item to see a four-part circular menu. Depending on the item, you can choose whatever items are not grayed out.

Details Panel

The details panel in Constellation view displays the Observable type, when it was last seen, how many sightings (with a historical sightings graph), and what enclaves contain it. In addition, you can see the tags applied to the Observable, including MITRE ATT&CK tags.

The three dots in the upper right corner contain commands to:

  • Search for this Observable.
  • Whitelist this Observable.
  • Delete this Observable. You can only delete it if it is not reference in any reports.

You can click the target icon next to Tags to view tags by enclave. You can add tags to this Observable by selecting a tag from the dropdown list for an enclave. Any tags you add will be visible to all members of the selected enclave and editable by all members of that enclave. Tags you add are immediately added to the Observable in that enclave; there is no Save action required.

Click the target icon next to or MITRE ATT&CK to view those tags by enclave. After making changes, click the Save button to commit the changes to the selected enclave.


How Did We Do?