Blog How to Read TruSTAR Graphs

How to Read TruSTAR Graphs

At TruSTAR we are constantly trying to make incident exchange and collaboration easier for security operators and analysts. The top priority for security operators using the TruSTAR platform is to enrich incidents they are investigating and find relevant, actionable correlations with other reports.

To that effect our data science team has made intuitive graph visualizations and reporting a cornerstone of our platform. In this blog we discuss how to use TruSTAR’s graph capabilities for improving your analysis.

Reports and Indicators of Compromise (IoC)

Data submitted to TruSTAR is converted into a graph data model users can easily manipulate and explore (see image below). We call TruSTAR graphs “Constellations.” All of our data can be categorized into two node types : Report and IoC.

  • A Report node represents information collected from a number of different sources, including user-reported incidents, and paid/open source threat data feeds. Report nodes are represented with the blue TruSTAR icon.
  • An IoC node represents all indicators extracted from a specific Report. IoC nodes are represented with smaller icons specific to the data source.

So, effectively, you can say that a Report node contains one or more IoC nodes. When two different Report nodes contain the same indicators they are implicitly correlated to each other.

TruSTAR Constellation showing Reports, IoC’s and correlations between them.

How To Read TruSTAR Graphs

In the above graph all the blue nodes are Reports submitted to TruSTAR. You can see that multiple Reports are connected through an IoC.

Intuitively this tells you that this cluster is enriching the Report in the center with the white star. We also pull information from other intelligence sources, like VirusTotal, Facebook ThreatExchange and number of OSINT feeds (see full list below). These are also shown on the graph if there is a correlation with any of these sources.

On the TruSTAR platform you can click on the various Reports and read the underlying data context to better understand these connections. We currently use 11 types of IoC’s to derive correlations among reports. In essence, if a report you submit has any of these 11 types of IoC’s our platform will be able to use them for correlation. Below is a full list of icons that are represented on our visualization.

Constellation Icons

Additional Analysis Capabilities

We also allow you to drill down on a specific Report node by double clicking on it. There is a timeline filter which allows you to specify the time period of interest for your analysis. You can delete specific nodes from the visualization and undo your actions.

We are just starting to scratch the surface when it comes to visualization analysis of security data. Over the next few months we will be rolling out more capabilities to drive intuitive visual analysis. Log into TruSTAR and try out what we have to offer today.

Improved Submission Workflow on TruSTAR Improved Submission Workflow on TruSTAR One of TruSTAR’s key differentiators is the ability to extract and normalize indicators from structured or ... Read More
TruSTAR Announces New MITRE ATT&CK Framework Feature ABOUT MITRE ATT&CK on TruSTAR Read More
New Context Panel Helps Analysts Prioritize Reports Faster Using Trusted Intelligence Sources Introducing the New Context Panel Reducing friction in the analyst workflow is central to how we evolve our product. Today TruSTAR has released a new ... Read More
IBM & City of Los Angeles Select TruSTAR to Build Security Tool for Local Businesses On Tuesday, at the 2019 LA Cyber Lab Summit, The City of Los Angeles announced their business partnership with IBM Security and TruSTAR to help local ... Read More