Threat Graph

Overview

The Threat Graph feature in ThreatConnect^® provides a graph-based interface that you can use to discover, visualize, and contextualize associations and relationships between Indicators, Groups, Cases, and Tags. Specifically, you can perform the following actions to gain a comprehensive picture of a threat in Threat Graph:

• Pivot on Indicator, Group, Case, and Tag associations in ThreatConnect; Indicator and Group relationships that exist within CAL™; and third-party enrichment relationships for supported Indicator types
• Run active UserAction Trigger–based Playbooks for Indicators that exist in ThreatConnect
• Create Group-to-Group, Indicator-to-Group, and Group-to-Indicator associations
• Import Indicators from Threat Graph into one of your ThreatConnect owners
• View known alias information in CAL for select Group types and combine Group nodes that share an alias into a single node

After you build out a graph in Threat Graph, you can save the graph to revisit at a later time or add to a report, or you can export the graph as an image file that you can share with teammates, executives, and stakeholders.

In This Series

• Viewing an Object in Threat Graph: Learn how to view an Indicator, Group, Tag, or Case in Threat Graph and about the available options in a node’s menu.
• Exploring Associations in Threat Graph: Learn how to explore associations and relationships between objects by pivoting in Threat Graph.
  • Pivoting in ThreatConnect in Threat Graph: Learn how to pivot on Indicator, Group, Case, and Tag associations that exist in ThreatConnect in Threat Graph.
  • Pivoting With CAL in Threat Graph: Learn how to pivot on Indicator and Group relationships that exist in CAL in Threat Graph.
  • Pivoting on Enrichment Services in Threat Graph: Learn how to pivot on third-party enrichment service relationships for Indicators in Threat Graph.
• Group Alias Information in Threat Graph: Learn how to view known alias information in CAL for select Group types and combine Group nodes that share an alias in Threat Graph.
• Viewing Details in Threat Graph: Learn how to view details for Indicators, Groups, Cases, and Tags in Threat Graph.
• Managing Graph Objects in Threat Graph: Learn about the different ways you can manage graph objects in Threat Graph.
  • Adding Associations in Threat Graph: Learn how to add associations to Indicators and Groups in Threat Graph.
  • Running Playbooks in Threat Graph: Learn how to run an active UserAction Trigger–based Playbook for Indicators in Threat Graph.
  • Importing Indicators From Threat Graph: Learn how to import Indicators from Threat Graph into one of your ThreatConnect owners.
  • Removing Objects From Threat Graph: Learn how to remove Indicator, Group, Case, and Tag nodes from Threat Graph.
• Adjusting View and Layout in Threat Graph: Learn how to adjust the view settings and layout of nodes in Threat Graph.
• Saving, Exporting, and Managing Graphs in Threat Graph: Learn how to save, export, and manage a graph while it is open in Threat Graph.
• Viewing All Graphs Saved in Threat Graph: Learn about the Graph screen in ThreatConnect, which is where you can view and manage all graphs you and other users in your Organization have saved in Threat Graph.

ThreatConnect^® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.

20117-01 v.08.B