IOC Clusters, CIDR Clusters, Network View
Three lenses on relationship structure in the indicator catalogue. IOC Clusters groups actors by observable similarity. CIDR Clusters surfaces shared /24 infrastructure. Network View shows the C2 graph. Together they turn one observable into a campaign.
Knowledge Graph — from the user guide
The screenshot below is taken from the platform user guide. Sensitive data fields are redacted with solid blocks; the page chrome is cropped for clarity.
Why this page exists
The Knowledge Graph is the platform’s relationship layer. Three tabs each answer a different relationship question. IOC Clusters answers “which actors look alike in observable terms” — same feed mix, same categories, same IOC types, same severity distribution, same volume. CIDR Clusters answers “which /24 ranges show suspicious sharing” — multiple distinct IPs observed, multiple adversaries observed, over a rolling window. Network View answers “what does the C2 graph look like” — a node-link visualisation of C2 infrastructure and the actors anchored to it.
IOC Clusters uses density-based clustering over a rolling 90-day window. The result is meaningful actor clusters: actors that probably share tradecraft, infrastructure, or operator. The visualisation is a bubble graph where each large bubble is a cluster, surrounding satellites are member actors, and bubble size scales with the total IOC volume of the cluster.
CIDR Clusters is the flagship shared-infrastructure feature. The table lists /24 ranges with multiple distinct IPs observed, multiple adversaries observed, or both. Filters expose high-confidence sharing (where actors overlap in time as well as space). Clicking a row pivots into every indicator from that range across every actor.
Network View visualises C2 infrastructure as a graph: C2 nodes, actor nodes, edges where the platform has observed connection or attribution. Useful for explaining “this is one campaign” to stakeholders who reason better visually than tabularly.
Other screens in this feature
How operators use this page
Discover unfamiliar actor groupings
Open IOC Clusters. The largest bubbles are the most prominent clusters. Click any bubble to expand its member actors and the shared characteristics that link them.
Trace nearest neighbours
Search for a known actor name. The graph highlights the actor and the cluster it belongs to. Mouse-over satellites to read the similarity score with the focal actor.
Investigate a CIDR
Open CIDR Clusters. Sort by distinct-adversary count descending. The leftmost rows are the most-shared /24 ranges. Click to see contributing actors and indicators.
Filter for high-confidence sharing
Use the confidence filter to restrict to CIDR ranges where actor overlap in time is corroborated. Drops casual co-occurrence; keeps signals worth investigating.
What the page shows
IOC Clusters: bubble graph, cluster expand panel, similarity score, member actors list. CIDR Clusters: range, distinct IP count, distinct adversary count, observation window, confidence filter. Network View: C2 nodes, actor nodes, edges with attribution labels.
Best practices and limits
- Large filter sets produce slow layouts. The interface caps node count to keep the graph readable.
- IOC Clusters runs over a rolling 90-day window — older relationships are not in the current view.
