Blog How to Read TruSTAR Graphs

How to Read TruSTAR Graphs

At TruSTAR we are constantly trying to make incident exchange and collaboration easier for security operators and analysts. The top priority for security operators using the TruSTAR platform is to enrich incidents they are investigating and find relevant, actionable correlations with other reports.

To that effect our data science team has made intuitive graph visualizations and reporting a cornerstone of our platform. In this blog we discuss how to use TruSTAR’s graph capabilities for improving your analysis.

Reports and Indicators of Compromise (IoC)

Data submitted to TruSTAR is converted into a graph data model users can easily manipulate and explore (see image below). We call TruSTAR graphs “Constellations.” All of our data can be categorized into two node types : Report and IoC.

  • A Report node represents information collected from a number of different sources, including user-reported incidents, and paid/open source threat data feeds. Report nodes are represented with the blue TruSTAR icon.
  • An IoC node represents all indicators extracted from a specific Report. IoC nodes are represented with smaller icons specific to the data source.

So, effectively, you can say that a Report node contains one or more IoC nodes. When two different Report nodes contain the same indicators they are implicitly correlated to each other.

TruSTAR Constellation showing Reports, IoC’s and correlations between them.

How To Read TruSTAR Graphs

In the above graph all the blue nodes are Reports submitted to TruSTAR. You can see that multiple Reports are connected through an IoC.

Intuitively this tells you that this cluster is enriching the Report in the center with the white star. We also pull information from other intelligence sources, like VirusTotal, Facebook ThreatExchange and number of OSINT feeds (see full list below). These are also shown on the graph if there is a correlation with any of these sources.

On the TruSTAR platform you can click on the various Reports and read the underlying data context to better understand these connections. We currently use 11 types of IoC’s to derive correlations among reports. In essence, if a report you submit has any of these 11 types of IoC’s our platform will be able to use them for correlation. Below is a full list of icons that are represented on our visualization.

Constellation Icons

Additional Analysis Capabilities

We also allow you to drill down on a specific Report node by double clicking on it. There is a timeline filter which allows you to specify the time period of interest for your analysis. You can delete specific nodes from the visualization and undo your actions.

We are just starting to scratch the surface when it comes to visualization analysis of security data. Over the next few months we will be rolling out more capabilities to drive intuitive visual analysis. Log into TruSTAR and try out what we have to offer today.

Unveiling Our New Blockchain Research Tool at Black Hat Arsenal and DEF CON Recon Village 2018 Las Vegas, Aug. 06, 2018 (GLOBE NEWSWIRE) — The data science team behind TruSTAR will be presenting the only blockchain research tool selected for ... Read More
We've Made It Easier For You To Find High-Priority Indicators Today we’re announcing a major update to our IOC management feature to help security teams identify high-priority indicators while investigating ... Read More
Improve Efficiency of Intelligence Analysis Using IOC Management Feature Cyber observables and IOCs are the building blocks of intelligence analysis. They're critical to making accurate decisions throughout the ... Read More
Introducing TruSTAR’s New Source Scoring Model Having confidence in your intelligence sources is essential to running successful security operations. But measuring the effectiveness of how your ... Read More