Viewing an Object in Threat Graph

Indicators, Groups, and Tags

The following subsections describe how to view an Indicator, Group, or Tag in Threat Graph, which can be done from the Details drawer and Details screen. When you first access Threat Graph for an Indicator, Group, or Tag, an origin node representing the selected object will be displayed, along with a node label containing the object’s summary. The node’s shape will depend on the selected object’s type, where a circle represents an Indicator, an octagon represents a Group, and a pentagon represents a Tag.

Note

A node’s icon corresponds to the type of Indicator or Group the node represents. To view a legend that defines the Indicator or Group type associated with each icon, click the icon at the lower-left corner of the screen.

Details Drawer

1. On the top navigation bar, hover over Browse and select Indicators, Groups, Tags, or a specific Indicator or Group type. The Browse screen will display a results table containing objects of the selected type.
2. Click on an object’s entry in the table on the Browse screen. The object’s Details drawer will be displayed.
3. If viewing the Details drawer for an Indicator or Tag, click the Explore in Graph button at the top left of the drawer; if viewing the Details drawer for a Group, click the Visual Analysis button at the top left of the drawer and select Explore in Graph. Threat Graph will open in a new browser tab (Figure 1). 

    

Details Screen

1. Navigate to the Details screen for an Indicator or Group.
2. If viewing the Details screen for an Indicator, click the Explore in Graph button at the top right of the screen; if viewing the Details screen for a Group, click the Visual Analysis button at the top right of the screen and select Explore in Graph. Threat Graph will open in a new browser tab (Figure 1).

Legacy Details Screen

1. Navigate to the legacy Details screen for an Indicator, Group, or Tag.
2. Click the Explore In Graph button at the top left of the screen. Threat Graph will open in a new browser tab (Figure 1).

Cases

1. On the top navigation bar, hover over Workflow and select Cases. The Cases screen will be displayed.
2. Select a Case on the Cases screen. A detailed view of the Case will be displayed.
3. Click the Explore In Graph button at the top right of the Case. Threat Graph will open in a new browser tab (Figure 2). When you first access Threat Graph for a Case, a diamond-shaped origin node representing the Case will be displayed, along with a node label containing the Case’s name.

   

    

Node Contextual Menu Options

When you click on an Indicator, Group, Tag, or Case node in Threat Graph, a contextual menu will be displayed. See Table 1 for a list of options that may be displayed in this menu, based on the type of object the node represents.

1. To use this feature, CAL™ must be enabled on your ThreatConnect instance and for your Organization, and data for the selected object must exist in CAL.

2. To use this feature, CAL must be enabled on your ThreatConnect instance and for your Organization for this option to be displayed, and data for the Adversary, Intrusion Set, Malware, Threat, or Tool Group must exist in CAL.

ThreatConnect^® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.

20117-03 v.07.A