Viewing Results

When DarkLight processes ingested information through a PRO Playbook, its output shows up in the Working Memory view, separated by type. Several other views combine to allow you to see the full details about each event.

Several views work together to provide the full picture about a single event. The Working Memory view contains lists of PRO Output Types and indicates how many items are in each type. Clicking on a working memory type loads those events into the Results view where they can be sorted by any column. Clicking on a single event populates the tabular Results view, the graphical Results Graph view, and the time-based Results Chart view.

The Working Memory view contains lists of events that have been processed by PROs. Each list name refers to the output type (class) of a PRO. The number in parentheses after the type indicates the number of events in that list.

To view the events within a list, click on the list name. This will load all of the events containing that type into the Results view. To view multiple lists at once, Shift-click to select all items between the selected one and the clicked one. Use the Control (Windows) or Command (OS X) key to toggle non-consecutive items on or off.

The list can be organized into sections by making sub-classes in the ontology editor.

If the list is very long you can type in the filter box and the list will be reduced to only the types that match what you have entered. This is a very fuzzy, case-insensitive search. To return to the full list, clear any text out of this box with the delete key.

To clear all of the events in Working Memory, choose Clear All Working Memory from the menu.

To clear events containing a single type in Working Memory, right-click on the list name and choose Clear.

To export events of a certain type, select the type and choose Export Selected. Note that this is limited to a few thousand events. Larger exports may cause DarkLight to run out of memory.

To import events exported from Working Memory, choose Import Data from the menu and select a .dlw.trig or .trig file. See also: Restoring from the Backup Database

Important Note About Types

Each event can have multiple types attached to it as it progresses through the PROs. Use caution when clearing types from Working Memory because it will clear any event that includes that type. In this example, if you were to clear the IPS-CVE-Fltr events, the IPS-CVE events would also be cleared because they are a subset.

You can see which Types an event is associated with in the Results Summary and Results Graph with the More Info icon active.

The Results view is a table of data that shows all of the events from the selected Working Memory or Contextual Memory types, as detailed above. Each row in this table is a separate event or object that was published by one or more playbooks.

Click on any individual row in the table to load the details associated with that event into the Results Summary and Results Graph views.

You can also click on any category of Contextual Data (e.g., Employees), load them into the Results View, and set custom columns. As with an event, clicking on an individual item will load its details into the Summary and Graph views.

Choosing Columns in the Results View Table

Use the Choose Columns button to add data properties as columns for each type of data. TIP: If you click Choose Columns before you select anything in Working Memory, you can set the default columns for all of the types.

Sorting and Arranging Columns

The Results View can be sorted by clicking on a column header and moved by dragging the header to a new location. The sort and column positions are stored per type, just like the column definitions.

For sorting, DarkLight allows you to sort on multiple columns by using the Control key on your keyboard.

  • Click a column header: Sort by that column.
  • Click a sorted header: Reverse the sort direction.
  • Control-Click a column header: Add that column as a secondary sort (up to 5).
  • Control-Click a sorted header: Remove that column from sorting.

Refreshing the Results Table

By default, the Results view only loads when you ask it to, either by choosing a new type from Working Memory or Contextual Memory, or when the Refresh button is pressed. This allows you to do filtering, sorting, and exploring in the view without losing the currently-selected item when new data comes in.

When new data arrives, the note at the bottom will update to say (## new events since last refresh). Click the Refresh button at the top of the view or the refresh icon to load in the new events.

The Results Chart shows a bar chart of the events listed in the Results view. The chart uses the built-in time field core:hasEventTime for its data source. This can be changed to any date property in Window→Preferences. For example, playbooks reporting in STIX are using dlstix:created. The time field must be one of the columns visible in the Results view (use the Choose Columns button if needed). The chart always shows the set of events in the Results view, including filters. The time bar containing the selected event in the Results view is shown in blue. This chart is non-interactive.

The Summary view is a table of data that describes the selected item in the Results view. It contains all of the properties and objects that have been attached to the event as it works its way through ingestors and PROs. The view is divided up into sections. Each section has a colored header with a label of what object is being described in that section.

The first section is always the incoming event and corresponds with the blue nodes on the Results Graph. The other sections in the Summary view correspond to the other colored groupings in the graph. The Summary and Graph have the same information, but the Summary is faster when you need to find a specific piece of information (e.g. the infected IP address, the owner of the device, etc.)

Some entries in the table contain more information one level beyond the objects shown in the graph. These entries have blue text instead of black, and can be clicked on. To return to the previous view, click the ← icon in the top right corner of the view.

For example, in the demo data, one of the Attributable events shows (fictional) Medge Sellers as the custodian of the device. Medge is also listed as being a member of the Media Relations department, which is an object property. Clicking on the blue "Department-Media+Relations" will change the view to show details about that department.

An individual summary item can be saved as an HTML report by clicking on the Report icon and choosing a location on your file system. It can also be e-mailed to someone by clicking the notify icon and entering an e-mail address. Both of these options send the same report that is sent out as an e-mail by a Notification PRO.

The Show More Information icon toggles more data into the Summary view, including its full ID and types that were added to the event. This icon also affects the Results Graph view.

The Results Graph view is a node/link graph that describes the selected item in the Events view. It contains all of the properties and objects that have been attached to the event as it works its way through ingestors and PROs. Each new object gets a different color.

The incoming event is always blue in the graph. The other objects receive colors dynamically as they are drawn so objects of the same type (e.g., Employees) are not always the same color each time a new graph is drawn. Nodes that are connected to more than one object are colored black. This helps them stand out as they are typically of interest.

Lines between nodes in the graph have a label on them indicating what kind of a link they are (data property, object property, or type). To turn off the labels on the lines, click the Link Text button at the top of the view so it is no longer highlighted.

Note on Resizing the Graph

When the view is resized, the graph will not automatically redraw to match the new window dimensions. To force the graph to redraw in the new space, click the Link Text button.
  • help/results
  • Last modified: 2019/07/17 15:43