Contents x
Explore In Graph Overview
  • 12 Apr 2023
  • 2 Minutes to read
  • Print
  • Dark
    Light
Contents

Explore In Graph Overview

  • Updated on 12 Apr 2023
  • 2 Minutes to read
  • Print
  • Dark
    Light
Article Summary

The Threat Graph feature in ThreatConnect® provides a graph-based interface where you can discover, visualize, and explore Indicator, Group, Case, and Tag relationships. After accessing an object’s graph, you can pivot on Indicator, Group, Case, and Tag associations in ThreatConnect, as well as relationships for Indicators and Groups that exist within a CAL  dataset. You can also perform the following actions to gain a comprehensive picture of a threat:

  • Pivot on available third-party enrichment relationships for supported Indicator types;
  • Run active UserAction Trigger–based Playbooks for Indicators that exist in ThreatConnect;
  • Import Indicators added to an object’s graph via CAL and enrichment pivots into ThreatConnect;
  • View known alias information retrieved from CAL for select Group types;
  • Combine multiple Group nodes that share a known alias into a single, compound Group node.

After building out an object’s graph with its associated objects, you can save the graph in its current state to revisit at a later time or add to a report, or export it to a PNG or JPEG file that you can share with teammates, executives, and stakeholders.

Before You Start

Minimum Role(s)
  • Organization role of Read Only User (for pivoting on associations in ThreatConnect, relationships in CAL, and relationships in enabled enrichment services, as well as for viewing details for Indicators, Groups, and Cases)
  • Organization role of Standard User (for importing Indicators into ThreatConnect and associating them to a Group)
Prerequisites

To pivot on Indicator, Group, Case, and Tag associations in ThreatConnect, pivot on CAL relationships for Indicators and Groups, and view CAL alias information for Groups, the following prerequisites must be met:

  • A ThreatConnect instance with version 7.1 or newer installed
  • CAL enabled on your ThreatConnect instance and for your Organization (for pivoting with CAL and viewing alias information for Groups that exist in CAL)
  • An Indicator not marked as private (for viewing and exploring Indicator relationships that exist in CAL)
  • Workflow enabled on your ThreatConnect instance and for your Organization (for pivoting on Case associations)

To pivot on third-party enrichment relationships for an Indicator, the following prerequisites must be met:

  • A ThreatConnect instance with version 7.0 or newer installed (for pivoting on VirusTotal™ relationships)
  • A ThreatConnect instance with version 7.1 or newer installed (for pivoting on Shodan® relationships)
  • An enrichment service enabled for the Indicator’s type and a valid API key for that enrichment service entered by a System Administrator on the System Settings screen (See the “Enrichment Tools” section of ThreatConnect System Administration Guide for more information)

ThreatConnect® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.
VirusTotal™ is a trademark of Google, Inc.
Shodan® is a registered trademark of Shodan.

20117-01 v.07.A

Was this article helpful?
Related articles
What's Next
Company
Sales and Support
Follow Us
© 2012–2023 ThreatConnect, Inc. All Rights Reserved.