The SOC.OS Histogram allows you to see the progression or development of an alert cluster over time.
The SOC.OS cluster visualisation includes a threat bar, which segments alerts into a time banded view (Hour, Day Week or Month), showing how many alerts of a MITRE ATT&CK threat type in each time period.
The histogram shows us this on a more granular level.
From the time that the alerts in this cluster were first generated, to the time of the most recently correlated alerts, the histogram shows us both the frequency and volume of alerts coming in.
You can use your cursor to make a selection of a period of time on the histogram, and drag this window across to alter the period shown in the visualisation. The visualisation will reflect the selected time period on the histogram to filter your view of the cluster, and pull up only alerts generated in the selected time frame.
By default, the histgram view will show the volume of alerts received per time period:
You can alternatively view the histogram by alert score, by selecting the second tab:
Viewing by alert score allows you to easily filter out the persistent low value but high frequency alerts (eg blocked alerts), and focus on when important alerts have been received and correlated to the cluster.