- 14 Dec 2022
- 7 Minutes to read
-
Print
-
DarkLight
Graph View: Object Menu
- Updated on 14 Dec 2022
- 7 Minutes to read
-
Print
-
DarkLight
When viewing the Associations card in graph view, clicking on a node representing an associated object will display a contextual menu (Figure 1) with the following options: View Details, Pivot, and Add Association.
View Details
Select View Details to display the selected object’s Details drawer. If the selected object exists in multiple owners, you will be prompted to select the owner in which you want to view details about the object.
Pivot
Select Pivot to pivot on associations for the selected node. After you select Pivot, you will be prompted to choose the type of object on which to pivot: Indicators, Groups, Tags, or Victims (Figure 2).
Select an object type to display all objects of that type that are associated to the selected node. You can pivot on multiple object types for a single node by clicking on the node, selecting Pivot, and selecting the next type from the menu displayed in Figure 2.
Figure 3 shows all Indicators, Groups, and Tags associated to the Menace Initiative Threat Group. These objects are considered second-level associations because they are two levels of association away from the primary object. You can, in turn, click on them to explore their details and associated objects.
To hide second-level associated objects, click on the node to which they’re associated, select Pivot, and select one of the Hide options (Figure 4).
Add Association
From graph view, you may add associations to the primary object or to associated objects via the Add Association option (Figure 1). This option will be displayed only if the following conditions apply:
- If the object is an Indicator, custom Indicator-to-Indicator association types must be enabled and available.
- You have a permission level of Create or higher for Indicators and Groups in the object’s owner.
- The object is not a Tag.
Selecting Add Association in Figure 1 will display a menu listing two object types: Group and Indicator (Figure 5).
If cross-owner associations are enabled on your ThreatConnect instance, you can create associations to Indicators and Groups in any owner to which you have access; otherwise, you can only create associations to Indicators and Groups that belong to the same owner as the selected object.
Group
Selecting Group will display the Add Groups window (Figure 6). This window displays all available Groups that are not associated to the object from which you selected Group.
- Select one or more Groups to associate to the selected object. If desired, use the Filters menu to filter Groups by type, a range of dates within which they were created, or a range of dates within which they were last modified. You can also enter text in the box to the left of the Filters menu to filter Groups by summary. If cross-owner associations are enabled on your ThreatConnect instance, you can filter Groups by owner and add associations to Groups in other owners to which you have access. To view a Group’s Details screen in a new browser tab, click View details in new tab
in the Name/Summary column for the Group.
- Click the Add Groups button to create associations to the selected Groups.
The new associations(s) will now be displayed in the graph, as shown in Figure 7 for the Big Top Adversary Group, to which an association to the Bad Incident Incident Group was created.
Indicator
Selecting Indicator in Figure 5 will display the Add Indicators window. This window’s appearance depends on the type of object from which you selected Indicator.
Indicator-to-Indicator Association
If the object from which you selected Indicator is an Indicator, the Add Indicators window will look like Figure 8.
- Select an Association Type: Select a custom Indicator-to-Indicator association type. Indicators of the target type that are not associated to the selected Indicator will be displayed.
- Select one or more Indicators to associate to the selected object. If desired, use the Filters menu to filter Indicators by a range of dates within which they were created or last modified. You can also enter text in the box to the left of the Select an Association Type dropdown to filter Indicators by summary. If cross-owner associations are enabled on your ThreatConnect instance, you can filter Indicators by owner and add associations to Indicators in other owners to which you have access. To view an Indicator’s Details screen in a new browser tab, click View details in new tab
in the Name/Summary column for the Indicator.
- Click the Add Indicators button to create associations to selected Indicators.
Group-to-Indicator Association
If the object from which you selected Indicator is a Group, the Add Indicators window will look like Figure 9. By default, the Add Indicators window will be displayed with the Existing Indicators option selected, showing all existing Indicators not associated to the selected Group. If the desired Indicator exists in an owner to which you have access, keep the selection of Existing Indicators at the top left of the Add Indicators window.
- Select one or more Indicators to associate to the selected Group. If desired, use the Filters menu to filter Indicators by type, a range of dates within which they were created, or a range of dates within which they were last modified. You can also enter text in the box to the left of the Filters menu to filter Indicators by summary. If cross-owner associations are enabled on your ThreatConnect instance, you can filter Indicators by owner and add associations to Indicators in other owners to which you have access. To view an Indicator’s Details screen in a new browser tab, click View details in new tab
in the Name/Summary column for the Indicator.
- Click the Add Indicators button to create associations to selected Indicators.
If the desired Indicator does not exist in an owner to which you have access, select New Indicators at the top left of the Add Indicators window. The window will now display options for creating new Indicators (Figure 10).
- Indicator Type: Select an Indicator type. Available choices include Unknown - (parsed), File, Email Subject, Hashtag, Mutex, Registry Key, and User Agent. Parsable Indicator types include Address, Email Address, Host, URL, ASN, and CIDR. After you select an Indicator type, the Indicator Type section will change to enable the entry of associated Indicators of the selected type. If you selected Unknown - (parsed), the following options will be displayed:
- Upload: Upload a file containing the Indicators to be imported and associated to the Group. Requirements for the file are displayed below the Upload heading.
- Text to be Parsed: Enter text to be parsed for Indicators, and then click the + Add button.ImportantIndicators included on an Indicator Exclusion List will not be imported or associated to the Group.
- New Indicators to be Associated: This section displays the Indicator(s) that will be created and associated to the Group in a table with the following columns:
- Type: The Indicator’s type.
- Summary: The Indicator’s summary.
- Known: Indicates whether the Indicator exists in the Group's owner.
- Private: To mark an Indicator as private, select the corresponding checkbox in the Private column. This column will be displayed only if your System Administrator has enabled private Indicators.
- Actions: To remove an Indicator from the table, click Delete
in this column.
- Additional Details (Optional): In this section, you can fill out the following information for all Indicators being created and associated to the Group:
- Owner: This required field is displayed only if cross-owner associations are enabled on your ThreatConnect instance. Select the owner in which the Indicator(s) will be created.ImportantIf cross-owner associations are not enabled on your ThreatConnect instance and the associated object to which a new Indicator association is being added is not in the primary object’s owner, but rather is associated to an object of the same name in a different owner, then the new Indicator will be created in the primary object’s owner, not the associated object’s owner.
- Description: Enter a Description for the Indicator(s).
- Tags: Enter Tags to apply to the Indicator(s).
- Confidence Rating: Use the slider to set the Confidence Rating for the Indicator(s).
- Threat Rating: Use the skull icons to set the Threat Rating for the Indicator(s).
- Owner: This required field is displayed only if cross-owner associations are enabled on your ThreatConnect instance. Select the owner in which the Indicator(s) will be created.
- Click the Add Indicators button to create the new Indicators and associate them to the selected Group.
ThreatConnect® is a registered trademark of ThreatConnect, Inc.
20076-04 v.09.A