Skip to content
This repository has been archived by the owner on May 15, 2019. It is now read-only.

Storyboard

Jump to bottom
vgonzale78 edited this page Sep 21, 2016 · 3 revisions

###Purpose and Audience This section contains a walk-through of the Storyboard analyst view. The intended audience is Security Analysts responsible for reviewing the results for potential threats.

###Walk-through

  1. Select the option Flow > Storyboard from Open Network Insight Menu.

  1. Your view should look something like this, depending on the IP's you have analyzed on the Threat Analysis for that day. You can select a different date from the calendar.

3. Review the results:

Executive Threat Briefing
Data source file: threats.csv
Executive Threat Briefing lists all the incident titles you entered at the Threat Investigation notebook. You can click on any title and the additional information will be displayed.

Clicking on a threat from the list will also update the additional frames.

Incident Progression
Data source file: dendro-<ip>.json
Frame located in the top right of the Storyboard Web page

Incident Progression displays a tree graph (dendrogram) detailing the type of connections that conform the activity related to the threat. When network context is available, this graph will present an extra level to break down each type of connection into detailed context.

Impact Analysis
Data source file: stats-<ip>.json

Impact Analysis displays a horizontal bar graph representing the number of inbound, outbound and two-way connections found related to the threat. Clicking any bar in the graph, will break down that information into its context.

Map View | Globe
Data source file: globe_<ip>.json

Map View Globe will only be created if you have a geolocation database. This is intended to represent on a global scale the communication detected, using the geolocation data of each IP to print lines on the map showing the flow of the data.

Timeline
Data source file: sbdet-<ip>.json

Timeline is created using the resulting connections found during the Threat Investigation process. It will display 'clusters' of inbound connections to the IP, grouped by time; showing an overall idea of the times during the day with the most activity. You can zoom in or out into the graphs timeline using your mouse scroll.

Input files

threats.csv
threat-dendro-${id}.json
stats-${id}.json
globe-${id}.json
sbdet-${id}.tsv

Home

  • Home
  • [Overview of Open Network Insight](Overview of Open Network Insight)
    • [Technical Overview](Technical Overview)
  • [Planning Guide](Planning Guide)
    • [Deployment Option 1: Pure Hadoop](Pure Hadoop)
    • [Deployment Option 2: Hybrid Hadoop / Virtual](Hybrid Hadoop)
  • [Deployment Guide](Deployment Guide)
  • [Installation & Configuration Guides](Installation & Configuration Guides)
  • [User Guide](User Guide)
    • Flows
      • [Suspicious Connects – Analyst View](Suspicious Connects)
      • [Threat Investigation – Analyst View](Threat Investigation)
      • Storyboard
      • [Ingest Summary – Analyst View](Ingest Summary)
    • DNS
      • [Suspicious DNS – Analyst View](Suspicious DNS)
      • [Threat Investigation – Analyst View](DNS Threat Investigation)
      • [Storyboard](DNS Storyboard)
    • Proxy
      • [Suspicious Proxy - Analyst View](Suspicious Proxy)
      • [Threat Investigation - Analyst View](Proxy Threat Investigation)
      • [Storyboard](Proxy Storyboard)
  • ONI Demo
Clone this wiki locally