Top Tips for the Community Edition Analyst GUI

Owned by Josh Liss (Unlicensed)
Last updated: Apr 27, 2015 by andrew johnston (Unlicensed)
3 min read

Tip 1: Start with the Query Metrics Widget

The general visualization approach is to highlight aggregated statistics.  For example:

  • the frequency/significance of entities & associations,
  • document & entity counts by hour/day/week or clustered by geo, etc.

Before diving into the graphical views, however, the Query Metrics widget is useful for getting an overview of the data and the ontology used to index entities and associations.

Bypass the initial 'Source' view and start with the 'Entities' or 'Associations' breakdowns.

The 'Entities' view lists all the different types of entities extracted from either the document metadata, or text using NLP (i.e. VulnerabilityCategory, OperatingSystem, PrivateDNS), as well as their document counts

The 'Associations' view lists the top level "verb categories" between entities (i.e. vulnerability_detected, affects, indicates).

When you find an entity/association of interest, click the  button to add to query, or  to run an external google search.

Tip 2: Other useful widgets

Doc Viewer: View the individual documents/events and their metadata, ranked by score or date, along with a breakdown of entities, geotags, and associations.

    • Useful for analyzing specific documents once filtering or querying has reduced the dataset to manageable size.

Entity Significance: View the entities across all documents, ranked by score or frequency.

    • Useful for identifying the entities that are most common or significant within a dataset.

Map: Geographic display of geo-tagged documents and events, as well as locations mentioned in content.

    • Useful for visualizing the global distribution of a dataset.

Timeline: Shows documents and document counts over time.

    • Useful for viewing large volumes of aggregated log events 

Event Graph: Automated link analysis chart of associations.

    • Useful for identifying intersection points/nodes between entities

Event Timeline: Displays timestamped associations between entities over time, including the start/end times of long running events

    • Useful for seeing the temporal aspect of associations (the event graph does not include time as a dimension)

Custom Map/Bar Graph Viewer: The equivalent of the "Entity Significance"/"Map" widgets but on the results of custom analytics generated from the Plugin Manager.

Tip 3: Using The Source Manager and Auto-complete

Community Edition's Community/Source data model allows for querying across multiple data silos at once, or a narrow search against one single data source.

For more information, see Introduction to Visualization.  

Tip 4: "Show only" Widget vs. Workspace filtering

For in depth information concerning the difference between widget filtering and workspace filtering, see Common Functionality.

Tip 5: Common Use Cases for Dragging Between Widgets

The following widgets support drag & drop of entities and/or associations into the Case Visualizer OR into the query bar:

Also, the following widgets provide non-drag mechanisms for adding queries:

  • The Significance/Sentiment/Custom Bar Graph widgets let you press the "+" button in the header to add the currently selected entities/text to the query. Note this differs from drag in that all terms are "AND"ed together, whereas dragging "OR"s multiple terms.
  • The Map and Custom Map widgets let you drag a radius box on the map and then add that to the query.
  • The document and event timeline widgets let you select a time range and then use the "+" button in the header to add to the query.

Tip 6: Exporting data as text or images

For more information, see "Export Options" in section Workspace

Tip 7: Saving your working using the Case Visualizer and Case Manager

The Case Visualizer provides a blank canvas for dragging and dropping entities and documents from the other visualization tools to develop a link analysis diagram.

For more information, see section Case Visualizer (Enterprise).