Navigate a Visualization
The TruSTAR visualization provides analysts with a quick overview of the relationships between various reports and data sources available to them in the TruSTAR platform. The correlations are formed when reports share the same IOCs. This document explains how to navigate the visualization and refine it.
The top part of the visualization consists of the timeline slider. The timeline allows the user to limit the date range of a given threat in view. To adjust the time range, click and hold one of the end caps and slide to the desired point. You can also select one of the predefined date ranges or create your own by selecting the Date Range selector.
The timeline also shows the histogram (yellow bars) of correlations that have occurred on each day. Using this histogram you can quickly identify the days where a high number of correlations occurred.
Below the timeline slider you can see the visualization of the correlations between reports and IOCs.
There are two types of nodes in the graph : IOC nodes and Report nodes.
Report nodes are larger in size and IOC nodes are smaller in size. Two report nodes can only be connected if they have 1 or more IOC nodes in common.
Right clicking a node opens shortcut options for:
IOCs extracted from a report can be easily identified on the graph visualization. An IOC selected in the reports IOCs is shown as more prominent and highlighted on the graph for easy identification.
Navigate to the IOCs extracted from a report select your preferred IOC to be highlighted on the graph.
Selecting this option in the top toolbar will export a CSV listing all the IOCs present in the graph visualization with the following values as columns:
- IOC Type
- i.e IP address
- i.e: 188.8.131.52
This allows the user to selectively hide IOCs, Sources and Tags that are not relevant to their analysis.
Users can use these controls to undo, redo or refresh the visualization. If you refresh you will go back to the original graph.