Adjusting View and Layout in Threat Graph

Overview

The Threat Graph feature in ThreatConnect^® provides a graph-based interface that you can use to discover, visualize, and contextualize associations and relationships between Indicators, Groups, Cases, and Tags. As you pivot in Threat Graph and add nodes to the graph, you may want to adjust your view of the graph or rearrange nodes to ensure you focus on the objects that matter most to your investigation.

Before You Start

User Roles

• To adjust the view settings and layout of nodes in Threat Graph, your user account can have any Organization role.

Rearranging Nodes

Individual Node

Follow these steps to reposition an individual node in Threat Graph:

1. Open Threat Graph.
2. Click and hold a node on the graph.
3. Drag the node to the desired location on the graph, and then release the node.

Multiple Nodes

Follow these steps to reposition multiple nodes at once in Threat Graph:

1. Open Threat Graph.
2. Ensure there is at least one other node on the graph in addition to the origin node. If there are no other nodes on the graph except for the origin node, pivot in ThreatConnect, CAL™, or an enrichment service to add nodes.
3. Press and hold the CTRL key on your keyboard.
4. Drag and select a group of nodes on the graph, and then release the CTRL key on your keyboard.
5. Drag the selected nodes to the desired location on the graph, and release the nodes.

Adjusting Zoom Settings

You can use the following options in the toolbar at the top left of the graph to adjust the zoom settings in Threat Graph:

• Zoom In: Zoom in to see more details on the graph.
• Zoom Out: Zoom out to see more objects on the graph.
• Zoom to Fit: Adjust the zoom automatically to show all objects on the graph.
• Scroll to zoom: Turn on this toggle to zoom in and out by scrolling your mousewheel.

Showing and Hiding Data

The Threat Graph legend (Figure 1) includes a scrollable list of object types and labels that can be shown on the graph. It also provides a key that defines the color scheme for objects on the graph that belong to multiple ThreatConnect owners and arrows corresponding to CAL relationships (CAL Intelligence), enrichment service relationships (Enrichment Intel), and ThreatConnect associations (ThreatConnect).

Follow these steps to use the Threat Graph legend to show and hide items on the graph. By default, all types of Indicators, all types of Groups, Cases, Tags, node labels, and connection labels will be shown on the graph.

1. Open Threat Graph.
2. Click Legendin the toolbar at the top left of the graph to open the Threat Graph legend (Figure 1).
3. Select or clear an item’s checkbox in the Groups, Indicators, Other Object Types, or Labels section of the Threat Graph legend to show or hide the item, respectively, on the graph.
   
   Important

   Clearing the checkbox for an object type will hide all nodes corresponding to objects of that type and their respective connections.

Reorganizing the Layout

As you pivot in Threat Graph and rearrange nodes on the graph, the layout of nodes  may become disorganized and difficult to follow. To reorganize the layout of all nodes on the graph automatically, click  Restore Layoutin the toolbar at the top left of Threat Graph.

If you are working with an unsaved graph and want to reset the graph so that it only contains the origin node, refresh the browser tab in which Threat Graph is open.

ThreatConnect^® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.

20117-07 v.05.A