The SOC.OS cluster visualisation allows an analyst to quickly understand the high-level overview of an alert cluster. Once an analyst understands the overall picture, the visualisation enables fast access to key details. It is designed to mimic how an experienced cybersecurity analyst thinks about an incident, joining the dots between:
- The entities involved in the cluster.
- The alerts that formed the cluster.
- The MITRE ATT&CK® techniques and tactics.
- The change in the cluster over time.
This tutorial illustrates how to interpret a cluster visualisation.
¶ Example Cluster Visualisation
The following image is an example of a cluster visualisation:
It can be broken down into 4 components:
- Internal entities - The entities which an analyst is defending and has control over.
- External entities - The entities which an analyst is not defending and has no control over.
- The Alert timeline - A time-based summary of the alerts which connect entities.
Combined, these components offer an analyst the ability to understand all aspects of the cluster in a time-based view.
¶ Internal Entities
Internal entities are the entities which an analyst is defending and has control over. Entities include (but aren't limited to) IP addresses, hostnames, file hashes and email addresses.
Note that internal entities can include both private and public IP addresses - for example, an analyst might want to defend a public-facing load balancer which has a public IP address. As that public IP address is under the control of the analyst, it is classed as an internal entity.
If an entity has been tagged through custom enrichment, colour-coded tags will be displayed next to these entities. This allows an analyst to quickly identify critical assets.
Entities are ordered by, and display how many alerts they appear in. The height of the entity bar reflects this alert count. Only alerts currently in view in the timeline are counted.
The internal entities will therefore change as the user scrolls through time, to show the most relavent information relationships for the alerts in view:
Clicking on an entity will display that entity's attributes. This will contain threat intelligence and enrichment information for that entity, if it is available.
Hovering over or clicking internal entities will also highlight the related alerts and external entities.
¶ External Entities
External entities are the entities which an analyst is not defending and has no control over. Entities include (but aren't limited to) IP addresses, hostnames, file hashes and email addresses. For example, these entities might include phishing email addresses, command & control servers or file exfiltration locations.
If an entity has been tagged through custom enrichment, colour-coded tags will be displayed next to these entities. This allows an analyst to quickly identify critical assets.
Entities are ordered by, and display how many alerts they appear in. The height of the entity bar reflects this alert count. Only alerts currently in view in the alert timeline are counted.
Clicking on an entity will display that entity's attributes. This will contain threat intelligence and enrichment information for that entity, if it is available.
Hovering over or clicking external entities will also highlight the related alerts and internal entities.
¶ Alert timeline
The Alert timeline is a time-based summary of the alerts which connect entities.
When an alert is processed by SOC.OS, it is classified within the MITRE ATT&CK® techniques and tactics matrix. These correspond to the swimlanes of the alert timeline, with the techniques and tactics displayed as acronyms at both ends of the bar.
The alert timeline is then split into time increments - hours, days, weeks or months - depending on the selected option.
Within each time range is a bar showing the number of alerts which fall into that range, as well as which MITRE ATT&CK® swimlane they fall within. These alert bars are connected to their associated internal and external entities. Clicking the alert count bar shows all the alerts which fall into that threat type and time period.
Clicking alert bars will also highlight the related internal and external entities.
The threat bar is closely linked with the histogram shown underneath the visualisation.
¶ Navigation
The navigation bar allows the visualisation to be adjusted to show only the information required by the analyst.
The visualisation can be filtered by custom enrichment tags shown on the left, allowing an analyst to determine which alerts relate to critical assets.
The centre Data View button will switch the visualisation to a tabular representation of the cluster. This can be helpful for drilling down into the alert data. For particularly complex clusters, the Data View is shown by default.
Legend, zoom and recentre tools are available on the right.