Alias Information for Groups
  • 18 Mar 2024
  • 2 Minutes to read
  • Dark
    Light

Alias Information for Groups

  • Dark
    Light

Article Summary

If a Group node represents an Adversary, Intrusion Set, Malware, Threat, or Tool Group and information for that Group exists in CAL™, the CAL Alias Information and Combine Group Nodes by Alias options will be displayed in the menu when you click on the node (Figure 1).

Graphical user interface, application  Description automatically generated

 

Important
If CAL is not enabled on your ThreatConnect instance or for your Organization, the CAL Alias Information and Combine Group Nodes by Alias options will not be displayed for Adversary, Intrusion Set, Malware, Threat, and Tool Groups for which CAL has information.

CAL Alias Information

Select the CAL Alias Information option to display a scrollable list of known aliases for the selected Group. Figure 2 shows alias information that exists in CAL for the Fancy Bear Adversary and Threat Group-4127 Threat Groups, which is identical for both Groups.

Note
No action will occur when you click on an alias displayed in the list.

Graphical user interface, application  Description automatically generated

 

Combine Group Nodes by Alias

If multiple Group nodes on an object’s graph share a known alias, you can use the Combine Group Nodes by Alias option to combine those individual nodes into a single, compound Group node. This arrangement provides a better understanding of which objects are related to a given Group for which CAL has known alias information.

For example, Figure 3 shows a graph where a user pivoted on the Uses Tool CAL relationship type for the Fancy Bear Adversary and Threat Group-4127 Threat Groups. Based on the alias information provided by CAL (Figure 2), these two Groups share a known alias.

Chart  Description automatically generated

 

Clicking on either of these nodes and selecting the Combine Group Nodes by Alias option will display the Combine Group Nodes by Alias window (Figure 4).

Graphical user interface, text, application, email  Description automatically generated

 

  • This window displays a list of aliases returned from CAL for the selected Group.
  • Click the Combine Group Nodes button to combine individual Group nodes that correspond to any known aliases listed in the window into a compound Group node.
    Important
    Combining individual Group nodes affects only the instance of the graph you’re viewing, and you cannot undo the grouping of individual Group nodes in a graph.

Figure 5 shows the same graph as in Figure 3 after combining the individual Threat Group-4127 Threat and Fancy Bear Adversary Group nodes into a compound Group node. Compound Group nodes feature a blue box that contains all individual Group nodes on the graph that are a known alias of a Group returned from CAL and a node label containing the name of the Group node from which you selected Combine Group Nodes by Alias.

Chart  Description automatically generated

 

You can reposition a compound Group node on the graph by dragging the blue rectangle to the desired location. Similarly, you can reposition individual Group nodes within a compound Group node by dragging them to the desired location. The repositioned Group node will remain inside the compound Group node, but the size of the compound Group node will change automatically based on the Group node’s new position.

Within a compound Group node, you can pivot on associations in ThreatConnect and relationships in CAL for each individual Group node by clicking on the desired node to display the menu in Figure 1. When you pivot on associations and CAL relationships for an individual Group node within a compound Group node, associated and related nodes added to the graph will be connected to the compound Group node.

Note
To view associations and CAL relationships for an individual Group node contained within a compound Group node, click the A picture containing wrench, tool  Description automatically generated icon at the lower-left corner of the screen and toggle off the slider(s) for the other Group type(s) contained within the compound Group node.

ThreatConnect® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.

20117-05 v.04.B


Was this article helpful?