Explore In Graph Overview
  • 18 Jan 2023
  • 1 Minute to read
  • Dark
    Light

Explore In Graph Overview

  • Dark
    Light

The Explore In Graph feature (also known as Threat Graph) in ThreatConnect® enables you to discover, visualize, and explore Indicator, Group, and Case relationships using a graph-based interface. When viewing an object’s graph, you can pivot on Indicator, Group, and Case associations in ThreatConnect, as well as relationships for Indicators and Groups that exist within a Collective Analytics Layer (CAL™) dataset. For Indicators, you may also pivot on third-party enrichment relationships if an enrichment service is enabled on your instance and for the Indicator’s type. For Adversary, Intrusion Set, Malware, Threat, and Tool Groups on which CAL has information, you can view known aliases for the Group and combine multiple Group nodes that share a known alias into a single, compound Group node.

After building out an object’s graph with its associated objects, you can save the graph in its current state to revisit at a later time or export it to a PNG or JPEG file to share with teammates, executives, and stakeholders.

Before You Start

Minimum Role(s)
  • Organization role of Read Only User (for using the Explore In Graph feature to pivot on associations in ThreatConnect, relationships in CAL, and relationships in enabled enrichment services, as well as for viewing details for Indicators, Groups, and Cases)
  • Organization role of Standard User (for importing Indicators into a ThreatConnect Group object)
Prerequisites

To pivot on Indicator, Group, and Case associations in ThreatConnect, pivot on CAL relationships for Indicators and Groups, and view CAL alias information for Groups, the following prerequisites must be met:

  • A ThreatConnect instance with version 6.7 or newer installed
  • CAL enabled on your ThreatConnect instance and for your Organization (for pivoting with CAL and viewing alias information for Groups that exist in CAL)
  • An Indicator not marked as private (for viewing and exploring Indicator relationships that exist in CAL)
  • Workflow enabled on your ThreatConnect instance and for your Organization (for pivoting on Case associations)

To pivot on third-party enrichment relationships for an Indicator, the following prerequisites must be met:

  • A ThreatConnect instance with version 7.0 or newer installed
  • An enrichment service enabled for the Indicator’s type and a valid API key for that enrichment service entered by a System Administrator (See the “Enrichment Tools” section of ThreatConnect System Administration Guide for more information)

ThreatConnect® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.

20117-01 v.06.A


Was this article helpful?