Graph View: Object Menu
  • 14 Dec 2022
  • 7 Minutes to read
  • Dark
    Light

Graph View: Object Menu

  • Dark
    Light

When viewing the Associations card in graph view, clicking on a node representing an associated object will display a contextual menu (Figure 1) with the following options: View Details, Pivot, and Add Association.

 

Important
If the Add Association option is not displayed after clicking on a node representing an Indicator, select View Details and then select Back in the contextual menu. The Add Association option will now be displayed in the node’s menu. You must perform these steps each time you click on the Indicator node in order to see the Add Association option.

View Details

Select View Details to display the selected object’s Details drawer. If the selected object exists in multiple owners, you will be prompted to select the owner in which you want to view details about the object.

Note
The View Details option will not be displayed for the origin node (i.e., the node representing the object for which you are viewing the Details screen).

Pivot

Select Pivot to pivot on associations for the selected node. After you select Pivot, you will be prompted to choose the type of object on which to pivot: Indicators, Groups, Tags, or Victims (Figure 2).

Note
If there are no associated objects on which to pivot for the selected node, the Pivot option will not be displayed.

 

Select an object type to display all objects of that type that are associated to the selected node. You can pivot on multiple object types for a single node by clicking on the node, selecting Pivot, and selecting the next type from the menu displayed in Figure 2.

Figure 3 shows all Indicators, Groups, and Tags associated to the Menace Initiative Threat Group. These objects are considered second-level associations because they are two levels of association away from the primary object. You can, in turn, click on them to explore their details and associated objects.

 

To hide second-level associated objects, click on the node to which they’re associated, select Pivot, and select one of the Hide options (Figure 4).

 

Note
As you explore more levels of association, you may need to use the Zoom to Fit or Zoom Out options at the lower-right corner of the Associations card to view the entire graph.

Add Association

From graph view, you may add associations to the primary object or to associated objects via the Add Association option (Figure 1). This option will be displayed only if the following conditions apply:

  • If the object is an Indicator, custom Indicator-to-Indicator association types must be enabled and available.
  • You have a permission level of Create or higher for Indicators and Groups in the object’s owner.
  • The object is not a Tag.

Selecting Add Association in Figure 1 will display a menu listing two object types: Group and Indicator (Figure 5).

 

If cross-owner associations are enabled on your ThreatConnect instance, you can create associations to Indicators and Groups in any owner to which you have access; otherwise, you can only create associations to Indicators and Groups that belong to the same owner as the selected object.

Group

Selecting Group will display the Add Groups window (Figure 6). This window displays all available Groups that are not associated to the object from which you selected Group.

Graphical user interface, application, email  Description automatically generated

 

  • Select one or more Groups to associate to the selected object. If desired, use the Filters menu to filter Groups by type, a range of dates within which they were created, or a range of dates within which they were last modified. You can also enter text in the box to the left of the Filters menu to filter Groups by summary. If cross-owner associations are enabled on your ThreatConnect instance, you can filter Groups by owner and add associations to Groups in other owners to which you have access. To view a Group’s Details screen in a new browser tab, click View details in new tab   in the Name/Summary column for the Group.
  • Click the Add Groups button to create associations to the selected Groups.

The new associations(s) will now be displayed in the graph, as shown in Figure 7 for the Big Top Adversary Group, to which an association to the Bad Incident Incident Group was created.

A picture containing text, sky, map, vector graphics  Description automatically generated

 

Indicator

Selecting Indicator in Figure 5 will display the Add Indicators window. This window’s appearance depends on the type of object from which you selected Indicator.

Indicator-to-Indicator Association

If the object from which you selected Indicator is an Indicator, the Add Indicators window will look like Figure 8.

 

  • Select an Association Type: Select a custom Indicator-to-Indicator association type. Indicators of the target type that are not associated to the selected Indicator will be displayed.
  • Select one or more Indicators to associate to the selected object. If desired, use the Filters menu to filter Indicators by a range of dates within which they were created or last modified. You can also enter text in the box to the left of the Select an Association Type dropdown to filter Indicators by summary. If cross-owner associations are enabled on your ThreatConnect instance, you can filter Indicators by owner and add associations to Indicators in other owners to which you have access. To view an Indicator’s Details screen in a new browser tab, click View details in new tab   in the Name/Summary column for the Indicator.
  • Click the Add Indicators button to create associations to selected Indicators.

Group-to-Indicator Association

If the object from which you selected Indicator is a Group, the Add Indicators window will look like Figure 9. By default, the Add Indicators window will be displayed with the Existing Indicators option selected, showing all existing Indicators not associated to the selected Group. If the desired Indicator exists in an owner to which you have access, keep the selection of Existing Indicators at the top left of the Add Indicators window.

 

  • Select one or more Indicators to associate to the selected Group. If desired, use the Filters menu to filter Indicators by type, a range of dates within which they were created, or a range of dates within which they were last modified. You can also enter text in the box to the left of the Filters menu to filter Indicators by summary. If cross-owner associations are enabled on your ThreatConnect instance, you can filter Indicators by owner and add associations to Indicators in other owners to which you have access. To view an Indicator’s Details screen in a new browser tab, click View details in new tab   in the Name/Summary column for the Indicator.
  • Click the Add Indicators button to create associations to selected Indicators.

If the desired Indicator does not exist in an owner to which you have access, select New Indicators at the top left of the Add Indicators window. The window will now display options for creating new Indicators (Figure 10).

Graphical user interface, text, application  Description automatically generated

 

  • Indicator Type: Select an Indicator type. Available choices include Unknown - (parsed), File, Email Subject, Hashtag, Mutex, Registry Key, and User Agent. Parsable Indicator types include Address, Email Address, Host, URL, ASN, and CIDR. After you select an Indicator type, the Indicator Type section will change to enable the entry of associated Indicators of the selected type. If you selected Unknown - (parsed), the following options will be displayed:
    • Upload: Upload a file containing the Indicators to be imported and associated to the Group. Requirements for the file are displayed below the Upload heading.
    • Text to be Parsed: Enter text to be parsed for Indicators, and then click the + Add button.
      Important
      Indicators included on an Indicator Exclusion List will not be imported or associated to the Group.
  • New Indicators to be Associated: This section displays the Indicator(s) that will be created and associated to the Group in a table with the following columns:
    • Type: The Indicator’s type.
    • Summary: The Indicator’s summary.
    • Known: Indicates whether the Indicator exists in the Group's owner.
    • Private: To mark an Indicator as private, select the corresponding checkbox in the Private column. This column will be displayed only if your System Administrator has enabled private Indicators.
    • Actions: To remove an Indicator from the table, click Delete  in this column.
  • Additional Details (Optional): In this section, you can fill out the following information for all Indicators being created and associated to the Group:
    • Owner: This required field is displayed only if cross-owner associations are enabled on your ThreatConnect instance. Select the owner in which the Indicator(s) will be created.
      Important
      If cross-owner associations are not enabled on your ThreatConnect instance and the associated object to which a new Indicator association is being added is not in the primary object’s owner, but rather is associated to an object of the same name in a different owner, then the new Indicator will be created in the primary object’s owner, not the associated object’s owner.
    • Description: Enter a Description for the Indicator(s).
    • Tags: Enter Tags to apply to the Indicator(s).
    • Confidence Rating: Use the slider to set the Confidence Rating for the Indicator(s).
    • Threat Rating: Use the skull icons to set the Threat Rating for the Indicator(s).
  • Click the Add Indicators button to create the new Indicators and associate them to the selected Group.

ThreatConnect® is a registered trademark of ThreatConnect, Inc.

20076-04 v.09.A


Was this article helpful?