Alias Information for Groups

If a Group node represents an Adversary, Intrusion Set, Malware, Threat, or Tool Group and information for that Group exists in ThreatConnect's Collective Analytics Layer (CAL™), the CAL Alias Information and Combine Group Nodes by Alias options will be displayed in the menu when you click on the node (Figure 1).

CAL Alias Information

Select the CAL Alias Information option to display a scrollable list of known aliases for the selected Group. Figure 2 shows alias information that exists in CAL for the Fancy Bear Adversary and Threat Group-4127 Threat Groups, which is identical for both Groups.

Combine Group Nodes by Alias

If multiple Group nodes on an object’s graph share a known alias, you can use the Combine Group Nodes by Alias option to combine those individual nodes into a single, compound Group node. This arrangement provides a better understanding of which objects are related to a given Group for which CAL has known alias information.

For example, Figure 3 shows a graph where a user pivoted on the Uses Tool CAL relationship type for the Fancy Bear Adversary and Threat Group-4127 Threat Groups. Based on the alias information provided by CAL (Figure 2), these two Groups share a known alias.

Clicking on either of these nodes and selecting the Combine Group Nodes by Alias option will display the Combine Group Nodes by Alias window (Figure 4).

• This window displays a list of aliases returned from CAL for the selected Group.
• Click the Combine Group Nodes button to combine individual Group nodes that correspond to any known aliases listed in the window into a compound Group node.
  Important

  Combining individual Group nodes affects only the instance of the graph you’re viewing, and you cannot undo the grouping of individual Group nodes in a graph.

Figure 5 shows the same graph as in Figure 3 after combining the individual Threat Group-4127 Threat and Fancy Bear Adversary Group nodes into a compound Group node. Compound Group nodes feature a blue box that contains all individual Group nodes on the graph that are a known alias of a Group returned from CAL and a node label containing the name of the Group node from which you selected Combine Group Nodes by Alias.

You can reposition a compound Group node on the graph by dragging the blue rectangle to the desired location. Similarly, you can reposition individual Group nodes within a compound Group node by dragging them to the desired location. The repositioned Group node will remain inside the compound Group node, but the size of the compound Group node will change automatically based on the Group node’s new position.

Within a compound Group node, you can pivot on associations in ThreatConnect and relationships in CAL for each individual Group node by clicking on the desired node to display the menu in Figure 1. When you pivot on associations and CAL relationships for an individual Group node within a compound Group node, associated and related nodes added to the graph will be connected to the compound Group node.

Note

To view associations and CAL relationships for an individual Group node contained within a compound Group node, click the  icon at the lower-left corner of the screen and toggle off the slider(s) for the other Group type(s) contained within the compound Group node.

ThreatConnect^® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.

20117-05 v.04.B