i2 Analyst’s Notebook
SummaryOne of this tool's primary benefits is its visualization capabilities. Very nice relationship charts can be created with ease. This makes presenting complicated log analyses much easier than presenting tables of data or spreadsheets. This ability to display complicated relationships and processes to laypeople (like CEOs) is a useful benefit that proves a big win for us and, usually, our readers.
Analyst's Notebook takes in complicated data manually from a spreadsheet or by one of several other methods, all of which are simple to use. Once the data is read into the tool, you can figure out how you want to relate it and then how you want to visualize it. Thus, a large IDS log can be captured as a comma- or tab-delimited file and input to the tool. Data sets in a database or a spreadsheet can be prepped into a comma- or tab-delimited file for direct input to the tool.
Such analysis techniques as clustering help focus on the small subset of interesting items and those can be refined further. Once refined into a solution set, the graph can be dressed up with custom icons to make presentation to a lay audience easier. There is almost no end to the ways to use Analyst's Notebook. You are limited only by your creativity.
Since the tool does not restrict its usefulness to numbers, either, anything that can be related can be used as grist for this tool. So, such things as relating IP addresses to users or attacks to vulnerabilities is a walk in the park. Just because this type of analysis tool is not seen frequently in our field, don't count it out. It is tools such as this, SecurITree and others that can lead you to the conclusion of a really tough security problem.