Link-analysis visualizations are chart-like or logically oriented. Geo-spatial visualizations are map-based or physically oriented. Node size indicates increasing event volume.
Each event is composed of the event node itself (a turquoise circle) and its connected source node (red square) and target node (white square) device assets. The source and the target may be the same asset.
Blue squares indicate a combined source and target node (a “point event”). Pink nodes indicate IP addresses that are worm or virus infection sources for other nodes.
Point events occur on a single host; for example, a syslog entry for a running process. They graph as IP address nodes that loop to an event node and back.
In geo-spatial displays, source and target location plotting is based on the physical addresses registered for IP addresses. ArcSight includes standard plotting information for this purpose. The addresses are plotted against a world map that you can zoom in or out. All the specific location data that supports this feature also appears as attributes in the Event Inspector.
You can modify the way graphs plot events, choosing to keep the source-event-target visual relationships compact, or to emphasize unique sources, targets, or both in order to more easily clarify the nature of attacks or situations.