Group Alias Information in Threat Graph
  • 18 Sep 2024
  • 4 Minutes to read
  • Dark
    Light

Group Alias Information in Threat Graph

  • Dark
    Light

Article summary

Overview

The Threat Graph feature in ThreatConnect® provides a graph-based interface that you can use to discover, visualize, and contextualize associations and relationships between Indicators, Groups, Cases, and Tags. The CAL Alias Information and Combine Group Nodes by Alias options in Threat Graph, available for Adversary, Intrusion Set, Malware, Threat, and Tool Groups CAL™ knows of, let you view alias information for Groups and combine Group nodes that share an alias into a single node, respectively.

Before You Start

User Roles

  • To use the CAL Alias Information and Combine Group Nodes by Alias options in Threat Graph for Adversary, Intrusion Set, Malware, Threat, and Tool Groups in an Organization, your user account can have any Organization role.
  • To use the CAL Alias Information and Combine Group Nodes by Alias options in Threat Graph for Adversary, Intrusion Set, Malware, Threat, and Tool Groups in a Community or Source, your user account can have any Community role except Banned for that Community or Source.

Prerequisites

  • To have access to the CAL Alias Information and Combine Group Nodes by Alias options in Threat Graph, turn on CAL for your ThreatConnect instance (must be a System Administrator to perform this action).

CAL Alias Information

Follow these steps to view known aliases for Adversary, Intrusion Set, Malware, Threat, and Tool Groups CAL knows of in Threat Graph:

  1. Open Threat Graph.
  2. Select a node on the graph that corresponds to an Adversary, Intrusion Set, Malware, Threat, or Tool Group. If no such node is on the graph, pivot in ThreatConnect or CAL to add one.
  3. If information for the selected Group exists in CAL, the Group node’s menu will include the CAL Alias Information option. Select CAL Alias Information  to view a scrollable list of known aliases for the selected Group. For example, Figure 1 shows alias information for the Fancy Bear Adversary Group and the Threat Group-4127 Threat Group, which is identical for both Groups.
    Figure 1_Group Alias Information in Threat Graph_7.7.0

     

    Note
    No action will occur when you select an alias in the CAL Alias Information submenu.

Combine Group Nodes by Alias

If multiple Group nodes in Threat Graph have similar alias information, you can use the Combine Group Nodes by Alias option to combine those individual nodes into a single, compound node. This arrangement provides a better understanding of which objects are related to Groups that are likely to be the same entity, as well as a cleaner visual depiction of the relationships between the Groups and their respective associated objects.

Follow these steps to combine multiple Group nodes with similar alias information into a compound node in Threat Graph:

  1. Open Threat Graph.
  2. Ensure there are at least two Adversary, Intrusion Set, Malware, Threat, or Tool Groups with similar alias information on the graph. For example, in Figure 2, there are nodes for the Fancy Bear Adversary Group and the Threat Group-4127 Threat Group. Based on the alias information provided by CAL for each Group (Figure 1), these two Groups have similar alias information. If no such nodes are on the graph, pivot in ThreatConnect or CAL to add nodes.
    Figure 2_Group Alias Information in Threat Graph_7.7.0

     

  3. Select one of the Group nodes with similar alias information, and then select Combine Group Nodes by Alias in the node’s menu.
  4. On the Combine Group Nodes by Alias window (Figure 3), click Combine Group Nodes to combine individual Group nodes that correspond to any of the aliases listed in the window into a compound Group node.
    Figure 3_Group Alias Information in Threat Graph_7.7.0

     

    Important
    Combining individual Group nodes affects only the instance of the graph you are viewing in Threat Graph. You cannot undo the grouping of individual Group nodes in Threat Graph.

Figure 4 shows the same graph as in Figure 2, except the individual Threat Group-4127 Threat Group and Fancy Bear Adversary Group nodes have been combined into a compound Group node. Compound Group nodes are a blue rectangle that contains all individual Group nodes on the graph that are a known alias of a given Group, based on the alias information in CAL. They also have a node label with the name of the primary Group name that the individual Group nodes are aliases of (APT28 in this example).

Figure 4_Group Alias Information in Threat Graph_7.7.0

 

You can reposition a compound Group node on the graph by dragging the blue rectangle to the desired location. Similarly, you can reposition individual Group nodes within a compound Group node by dragging them to the desired location. The repositioned Group node will remain inside the compound Group node, but the size of the compound Group node will change based on the Group node’s new position.

Within a compound Group node, you can pivot in ThreatConnect and CAL for each individual Group node. When you pivot in ThreatConnect or CAL for an individual Group node within a compound Group node, associated and related nodes added to the graph will be connected to the compound Group node.

Hint
To view associations and CAL relationships for an individual Group node within a compound Group node, click LegendThreat Graph Legend iconin the toolbar at the top left of the graph and clear the checkbox(es) for the other Group type(s) in the compound Group node.

ThreatConnect® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.

20117-05 v.05.A


Was this article helpful?