Follow-on improvements for the Network Overview tab introduced in #202. The three highest-value items (#1–#3) have already been shipped.
Already done (this PR)
Remaining items
4. External vs. internal visual distinction
RFC-1918 subnets (10.x, 192.168.x, 172.16-31.x) vs. public IPs are already distinguishable from the cluster key. Render external/internet clusters with a distinct shape or border so analysts immediately see where the network boundary is.
5. Collapse individual cluster
Currently you can only "Collapse all" once any subnet is expanded. Add the ability to re-collapse a single subnet without resetting the whole view (e.g. a collapse button in the cluster hover overlay, or right-click context menu).
6. IP search / highlight
Type an IP address → the page finds which cluster it belongs to via data.memberIds, expands that cluster, and highlights + zooms to the matching node. Essential for navigating large captures without hunting visually.
7. Richer cluster hover tooltip
The existing hover overlay shows a role breakdown bar. Extend it to show:
- Top 3 protocols with packet counts (already in
data.dominantProtocols)
- Risk count (now in
data.riskCount)
- External connection count
8. Risk-sorted cluster sidebar
A small collapsible panel listing all subnets ranked by riskCount, with a click to expand + zoom to that cluster. Good for rapid triage in large captures.
9. Minimap
A fixed-position minimap overlay showing the full graph extent with a viewport rectangle. Most useful once multiple clusters are expanded and the view becomes navigable. Sigma doesn't have a built-in minimap but it is buildable as a canvas overlay.
10. Intra-cluster hull
After a cluster is expanded, draw a visual convex-hull or background ellipse around its member nodes so the grouping remains visible. Sigma supports custom canvas layers for this.
Follow-on improvements for the Network Overview tab introduced in #202. The three highest-value items (#1–#3) have already been shipped.
Already done (this PR)
Remaining items
4. External vs. internal visual distinction
RFC-1918 subnets (10.x, 192.168.x, 172.16-31.x) vs. public IPs are already distinguishable from the cluster key. Render external/internet clusters with a distinct shape or border so analysts immediately see where the network boundary is.
5. Collapse individual cluster
Currently you can only "Collapse all" once any subnet is expanded. Add the ability to re-collapse a single subnet without resetting the whole view (e.g. a collapse button in the cluster hover overlay, or right-click context menu).
6. IP search / highlight
Type an IP address → the page finds which cluster it belongs to via
data.memberIds, expands that cluster, and highlights + zooms to the matching node. Essential for navigating large captures without hunting visually.7. Richer cluster hover tooltip
The existing hover overlay shows a role breakdown bar. Extend it to show:
data.dominantProtocols)data.riskCount)8. Risk-sorted cluster sidebar
A small collapsible panel listing all subnets ranked by
riskCount, with a click to expand + zoom to that cluster. Good for rapid triage in large captures.9. Minimap
A fixed-position minimap overlay showing the full graph extent with a viewport rectangle. Most useful once multiple clusters are expanded and the view becomes navigable. Sigma doesn't have a built-in minimap but it is buildable as a canvas overlay.
10. Intra-cluster hull
After a cluster is expanded, draw a visual convex-hull or background ellipse around its member nodes so the grouping remains visible. Sigma supports custom canvas layers for this.