iris-web icon indicating copy to clipboard operation
iris-web copied to clipboard
verified publisher icon dfir-iris

[FR] Improve and make Graph view interactive

Open DevJoost opened this issue 3 years ago • 1 comments

Currently I think the graph view is not reaching the potential it could be. It is now focused on timeline events that are manually added by hand and that are certainly related to the incident. I think however that it should be used as a tool during the investigation and not after the investigation is over to look back at everything that happened.

Currently there is no way to interactively interact with the assets and corresponding related timeline events. The only view is a global view of all events (with the selected "show in graph" checkmark of course). To get a better picture of what I mean I got some example ideas:

  • Don't display all relations/events in the graph. Let the user pick and/or query for a starting view (E.g. I want all events/assets with this specific tag or IOC). And then let the user select assets in the graph and with a click of a button or double click let the graph show all other connected assets from the timeline. I think this will benefit the usability for the graph, especially if the timeline has a lot of (possibly unrelated to the incident) events in it.
  • Make quick edits from the Graph view. It would be nice if you are able to select/right click an asset and quickly be able to for example add/edit tags or add/remove IOCs from it.
  • Make multiple "views" or "tabs" of different graphs with different query's which can be saved by the analists. For example a view which shows all relations/events with the tag "High confidence". So all events that are highly likely to be related to the case which analysts can view and try to find gaps which they need to fill in. And for example a view with only IOC related events/assets. This can be used to get an image of how many assets where affected by each specific IOC.

I can imagine it will be quite hard to integrate these features (especially the first idea) with a SQL based setup, however I think it will greatly benefit the usability and the potential worth of the Graph view.

Would love to hear what you all think!

DevJoost avatar May 16 '22 18:05 DevJoost

Hi @DevJoost

We absolutely agree on the fact that the graph isn't reaching its full potential. It is currently in its very early version and aimed to improve - it's almost only a gimmick for now.
All your proposals to improve it are really nice ! It's kind of similar to the VT graph, and could surely be really helpful. As you said, we could reuse the same query system currently in place in the timeline filters to generates a starting view, and then offer the possibility to expand/reduce/hide/delete nodes by letting the user interact with them. I really like the idea.

We need to see how to implement that, especially on the UI/UX side. The relation between every case objects are actually already in DB so it's just a matter of query. The visjs framework used for the graph seems to handle click events on node, so we should be able to handle interactions with them. The only issue for now, not only related to the graph tho, is how the tags are implemented. It's currently a dirty solution where all tags are stored in a single string in each objects and just split and presented as tags client side. That's the least effective thing to do and complexify the searches in them. We'll need to switch at some point.

Nevertheless, thanks for the ideas, we'll definitely look into this - and if you have any code insight or drafts, don't hesitate to submit it too ! 👍

Cheers

whikernel avatar May 16 '22 20:05 whikernel