Graph View: Object Menu
  • 30 Jan 2024
  • 7 Minutes to read
  • Dark
    Light

Graph View: Object Menu

  • Dark
    Light

Article summary

When viewing the Associations card in graph view, clicking on a node representing an associated object will display a contextual menu (Figure 1) with the following options: View Details, Pivot, and Add Association.

 

Important
If the Add Association option is not displayed after clicking on a node representing an Indicator, select View Details and then select Back in the contextual menu. The Add Association option will now be displayed in the node’s menu. You must perform these steps each time you click on the Indicator node in order to see the Add Association option.

View Details

Select View Details to display the selected object’s Details drawer. If the selected object exists in multiple owners, you will be prompted to select the owner in which you want to view details about the object.

Note
The View Details option will not be displayed for the origin node (i.e., the node representing the object for which you are viewing the Details screen).

Pivot

Select Pivot to pivot on associations for the selected node. After you select Pivot, you will be prompted to choose the type of object on which to pivot: Indicators, Groups, Tags, or Victims (Figure 2).

Note
If there are no associated objects on which to pivot for the selected node, the Pivot option will not be displayed.

 

Select an object type to display all objects of that type that are associated to the selected node. You can pivot on multiple object types for a single node by clicking on the node, selecting Pivot, and selecting the next type from the menu displayed in Figure 2.

Figure 3 shows all Indicators, Groups, and Tags associated to the Menace Initiative Threat Group. These objects are considered second-level associations because they are two levels of association away from the primary object. You can, in turn, click on them to explore their details and associated objects.

 

To hide second-level associated objects, click on the node to which they’re associated, select Pivot, and select one of the Hide options (Figure 4).

 

Note
As you explore more levels of association, you may need to use the Zoom to Fit or Zoom Out options at the lower-right corner of the Associations card to view the entire graph.

Add Association

From graph view, you may add associations to the primary object or to associated objects via the Add Association option (Figure 1). This option will be displayed only if the following conditions apply:

  • If the object is an Indicator, custom Indicator-to-Indicator association types must be enabled and available.
  • You have a permission level of Create or higher for Indicators and Groups in the object’s owner.
  • The object is not a Tag.

Selecting Add Association in Figure 1 will display a menu listing two object types: Group and Indicator (Figure 5).

 

If cross-owner associations are enabled on your ThreatConnect instance, you can create associations to Indicators and Groups in any owner to which you have access; otherwise, you can only create associations to Indicators and Groups that belong to the same owner as the selected object.

Group

Select Group to create associations to one or more Groups. The Add Groups window will be displayed (Figure 6), showing all available Groups that are not already associated to the object from which you selected Group.

Graphical user interface, application, email  Description automatically generated

 

  • Select one or more Groups to associate to the selected object. As you select Groups, the Selected button at the top left of the window will update to reflect the current number of selected items. When at least one Group is selected, you can click the Selected or Clear Selection button to view only the selected items or clear all selections, respectively.
  • To filter Groups by type, creation date, last modified date, and, if cross-owner associations are enabled, owner, use the FiltersFilters button_Details screenmenu; to filter Groups by summary, use the search bar.
  • Click the Add Groups button to create associations to the selected Groups.

The new associations(s) will be displayed in the graph, as shown in Figure 7 for the Big Top Adversary Group, to which an association to the Bad Incident Incident Group was created.

A picture containing text, sky, map, vector graphics  Description automatically generated

 

Indicator

Select Indicator to create associations to one or more Indicators. The Add Indicators window will be displayed. This window’s appearance depends on the type of object from which you selected Indicator.

Indicator-to-Indicator Association

If the object from which you selected Indicator is an Indicator, the Add Indicators window will look like Figure 8.

 

  • Select an Association Type: Select a custom Indicator-to-Indicator association type. Indicators of the target type that are not associated to the selected Indicator will be displayed.
  • Select one or more Indicators to associate to the selected object. As you select Indicators, the Selected button at the top left of the window will update to reflect the current number of selected items. When at least one Indicator is selected, you can click the Selected or Clear Selection button to view only the selected items or clear all selections, respectively.
  • To filter Indicators by creation date, last modified date, and, if cross-owner associations are enabled, owner, use the and Filtersmenu; to filter Indicators by summary, use the search bar.
  • Click the Add Indicators button to create associations to selected Indicators.

Group-to-Indicator Association

If the object from which you selected Indicator is a Group, the Add Indicators window will look like Figure 9. By default, the Add Indicators window will be displayed with the Existing Indicators option selected, showing all existing Indicators not already associated to the selected Group. To create an association to an Indicator that exists in one of your ThreatConnect owners, keep the selection of Existing Indicators at the top left of the Add Indicators window.

 

  • Select one or more Indicators to associate to the selected object. As you select Indicators, the Selected button at the top left of the window will update to reflect the current number of selected items. When at least one Indicator is selected, you can click the Selected or Clear Selection button to view only the selected items or clear all selections, respectively.
  • To filter Indicators by type, creation date, last modified date, and, if cross-owner associations are enabled, owner, use the and Filtersmenu; filter Indicators by summary, use the search bar.
  • Click the Add Indicators button to create associations to selected Indicators.

To create an association to an Indicator that does not exist in one of your ThreatConnect owners, select New Indicators at the top left of the Add Indicators window. The window will now display options for creating new Indicators (Figure 10).

Graphical user interface, text, application  Description automatically generated

 

  • Indicator Type: Select an Indicator type (available choices include Unknown - (parsed), File, Email Subject, Hashtag, Mutex, Registry Key, and User Agent). The Indicator Type section will display options for entering Indicators of the selected type. If you selected Unknown - (parsed), options to upload a file or enter text to be parsed for Indicators will be displayed, as in Figure 10. After entering the Indicator values or content to be parsed for Indicators, click the + Add button.
    Note

    Parsable Indicator types include Address, Email Address, File, Host, URL, ASN, and CIDR. Custom Indicator types may also be parsed if the following conditions are met:

    • a System Administrator selected the Parsable checkbox when configuring the custom Indicator type;
    • the custom Indicator type accepts a single value;
    • a System Administrator created an import rule for the custom Indicator type.

    For more information on custom Indicator types and Indicator import rules, see the “Custom Indicator Types” and “Indicator Import Rules” sections, respectively, of ThreatConnect System Administration Guide.

    Important
    Indicators included on an Indicator Exclusion List will not be imported or associated to the Group.
  • New Indicators to be Associated: This section displays the Indicator(s) that will be created and associated to the Group in a table with the following columns:
    • Type: The Indicator’s type.
    • Summary: The Indicator’s summary.
    • Known: Indicates whether the Indicator exists in the Group's owner.
    • Private: This column will be displayed only if your System Administrator has enabled private Indicators. To mark an Indicator as private, select the corresponding checkbox in the Private column.
    • Actions: To remove an Indicator from the table, click Deletein this column.
  • Additional Details: In this section, you can fill out the following information for all Indicators being created and associated to the Group:
    • Owner: This required field is displayed only if cross-owner associations are enabled on your ThreatConnect instance. Select the owner in which the Indicator(s) will be created. 
    • If cross-owner associations are not enabled on your ThreatConnect instance and the associated object to which you are adding a new Indicator association is not in the primary object’s owner, but rather is associated to an object of the same name in a different owner, then the new Indicator will be created in the primary object’s owner, not the associated object’s owner.
    • Description: Enter a Description for the Indicator(s).
    • Tags: Enter Tags to apply to the Indicator(s).
    • Confidence Rating: Use the slider to set the Confidence Rating for the Indicator(s).
    • Threat Rating: Use the skull icons to set the Threat Rating for the Indicator(s).
  • Click the Add Indicators button to create the new Indicators and associate them to the selected Group.

ThreatConnect® is a registered trademark of ThreatConnect, Inc.

20076-04 v.09.C


Was this article helpful?