If you had to choose one visualization to aid you in your investigations what would it be?
Some thoughts on ideas:
- Nodal diagram
- Parallel Coordinates
- Heat Map
- Word Cloud
What is the main purpose for the visualization you chose?
- Helps understand relationships between events and meta
- Shows changes/abnormalities over time
- SOC Candy
Definitely the nodal diagram - long overdue... In many investigations it is beneficial to see the one-to-many or many-to-many relationships to help explain a scenario to those who are not so savvy in merely looking at meta-key/data only.
Also useful is the Heat Map like there is in the Malware module - however please add the option for any meta key to be analyzed & not limited to a predefined list of meta like there is today. This helps to more quickly differentiate where attention needs to be focused on / drilled into. Helps to identify outliers more quickly as well.
As for parallel coordinates - a good first start already exists - but would like to see it expanded upon / more robust. Perhaps adding a feature such as highlighting a session for a value (or line) that is clicked and then giving the option to drill into just that one session.
Timelining - another very useful feature as we can see events/sessions over time to help explain what happened in an investigation. While the basic session timelining exists from a meta view today, perhaps we could add other display options such as bar graphs, pie charts, etc. (without having do so in the Reporting Engine as it adds extra steps --- maybe link the two?).
Visualizations are a huge value-add for Analysts and are inherently complementary to the Analytics / Investigative process --- especially for investigative reporting that almost always is requested in a true incident. Please continue making improvements in this area...excited to see what the future holds...
I agree with everything that Mr Gassman said!
During investigations, I'm constantly working to find the answers to several questions:
Given an indicator "hit" from one IP address, what brought the user to that IP? (referrer, redirection, etc)
And what did the system connect to after that "hit".
Instead of the generic traffic volume graph that we have today, maybe annotate that graph with other meta.
LIke I don't usually care that a user connected with Google or Akamai, but I'd care a lot if the user was redirected to Romania or Uzbekistan after the original IOC. So annotate those connections that may be related IOCS in the stream.
I would like to see support for trending multiple values. For example, to right click on a signature meta for IPS alerts and have a different colored line for each signature value so i can understand the breakdown of multiple values over time.
That's just one examples, click on IP protocol and see a different line/area for UDP/TCP/ICMP, threat source, service, ip.dst, etc all could be useful to combine multiple values over a trending line.