Pivoting in ThreatConnect
- 12 Apr 2023
- 5 Minutes to read
-
Print
-
DarkLight
Pivoting in ThreatConnect
- Updated on 12 Apr 2023
- 5 Minutes to read
-
Print
-
DarkLight
Article Summary
Share feedback
Thanks for sharing your feedback!
Overview
You can use the Pivot in ThreatConnect option to explore the following association types that exist in ThreatConnect:
- Custom, direct Indicator to Indicator
- Indicator to Group
- Indicator to Case
- Indicator to Tag
- Group to Indicator
- Group to Group
- Group to Case
- Group to Tag
- Case to Indicator
- Case to Group
- Case to Case
- Case to Tag
- Tag to Indicator
- Tag to Group
- Tag to Case
Performing a Pivot
- Click on an Indicator, Group, Case, or Tag node displayed on an object’s graph.
- Select Pivot in ThreatConnect from the node’s contextual menu. A submenu containing the following object types (Figure 1) will be displayed: Groups, Indicators, Cases, and Tags.NoteIf an Indicator or Group belongs to multiple owners, a black border will be applied to its node when you click on it, as in Figure 1.NoteIf you select Pivot in ThreatConnect and an Indicator or Group does not exist in your ThreatConnect instance (e.g., you selected Pivot in ThreatConnect for an Indicator or Group added to the graph via the Pivot with CAL option), a message stating so will be displayed in the menu.
- Select the type of object on which to pivot. See the “Groups,” “Indicators,” “Cases,” and “Tags” sections for further instruction on pivoting on Group, Indicator, Case, and Tag associations, respectively, in ThreatConnect.
Pivoting on Indicators, Groups, and Tags in ThreatConnect will return all associated objects of the selected type in all owners to which you have access. For example, pivoting on all Group types from a Host Indicator associated to a Threat Group in your Organization and an Adversary Group in a Community to which you have access will return both Groups.
Similarly, pivoting from an object that belongs to multiple owners will return associated Indicators, Groups, or Tags across all owners to which you have access. For example, pivoting on the Threat Group type from an Indicator that belongs to an Organization and a Source to which you have access will return Threat Groups associated to the Indicator in each owner. To determine the owner(s) of an associated Indicator, Group, or Tag click on its node and select View Details.
Groups
Select Groups to pivot on Group associations. A scrollable list of all Group types will be displayed (Figure 2).
Select a Group type (Threat in this example) on which to pivot, or select All Groups to pivot on all Group types. If Groups of the selected type(s) are associated to the object from which you pivoted, the following items will be displayed on the graph (Figure 3):
- One or more associated Group nodes. Each node will include a node label that displays the corresponding Group’s summary.
- A connection between each associated Group node and the node from which you pivoted. For pivots made in ThreatConnect, this connection is orange and does not include a label.
Important
If a pivot returns more than 500 associated objects, only the first 500 associated nodes and their respective connections will be displayed on the graph.
Note
If a pivot in ThreatConnect returns no results, a message stating so will be displayed at the lower-left corner of the screen.
Repeat this process for associated nodes or the origin node as desired. For example, pivoting on all Group types for the Menace Initiative Threat Group associated to the verybadguy.com Host Indicator adds four associated Group nodes to the graph, each of which represents a Group associated to Menace Initiative (Figure 4).
If a pivot returns an associated object that belongs to multiple owners, a single node representing the associated object will be displayed on the graph. To view details for the object in each of its owners, click the associated object’s node and select View Details.
Indicators
Select Indicators to pivot on Indicator associations. If pivoting from an Indicator node, a list of all custom Indicator-to-Indicator association types available for the Indicator on your ThreatConnect instance will be displayed (Figure 5).
Select an association type (Domain Registrant Email in this example) on which to pivot, or select All to pivot on all available association types. If an association of the selected type exists, the following items will be displayed on the graph (Figure 6):
- One or more associated Indicator nodes. Each node will include a node label that displays the corresponding Indicator’s summary.
- A connection between each associated Indicator node and the Indicator node from which you pivoted. For pivots made in ThreatConnect, this connection is orange and does not include a label.
If pivoting from a Group, Case, or Tag node, a scrollable list of all Indicator types will be displayed after selecting Indicators from the Pivot in ThreatConnect submenu (Figure 7).
Select an Indicator type, or select All Indicators (as in this example) to pivot on all Indicator types. If Indicators of the selected type(s) are associated to the object from which you pivoted, the following items will be displayed on the graph (Figure 8):
- One or more associated Indicator nodes. Each node will include a node label that displays the corresponding Indicator’s summary.
- A connection between each associated Indicator node and the Group, Case, or Tag node from which you pivoted. For pivots made in ThreatConnect, this connection is orange and does not include a label.
If you pivot from one node to a second node and then pivot from the second node back to the first node, a bidirectional arrow will be displayed on the graph. In this example, the first pivot was from the verybadguy.com Host Indicator to the Menace Initiative Threat Group (Figure 3). After pivoting from the Menace Initiative Threat Group to all Indicator types (Figure 8), the arrow connecting the verybadguy.com Host Indicator to the Menace Initiative Threat Group changed to a bidirectional arrow to reflect the pivot from the Menace Initiative Threat Group back to the verybadguy.com Host Indicator.
Cases
Select Cases to pivot on Cases in your Organization. After selecting Cases, you will be prompted to select an owner of the object from which you are pivoting. If Cases are associated to the object from which you pivoted in the selected owner, the following items will be displayed on the graph (Figure 9):
- One or more associated Case nodes. Each node will include a node label that displays the corresponding Case’s name. If you do not have viewing access to an associated Case, it will not be displayed on the graph.
- A connection between each associated Case node and the node from which you pivoted. For pivots made in ThreatConnect, this connection is orange and does not include a label.
Note
Pivoting on potential Case associations is not supported at this time.
From a Case node, you can pivot on Indicator, Group, Case, and Tag associations. Figure 10 shows two pivots from the Analyze Suspicious Email and Re… Case node: one on Host Indicators followed by one on Cases in the Documentation Team Organization.
Tags
Select Tags to pivot on Tags applied to an Indicator, Group, or Case. If Tags are applied to the object from which you pivoted, the following items will be displayed on the graph (Figure 11):
- One or more associated Tag nodes. Each node will include a node label that displays the corresponding Tag’s name.
- A connection between each associated Tag node and the node from which you pivoted. For pivots made in ThreatConnect, this connection is orange and does not include a label.
From a Tag node, you can pivot on Indicators, Groups, and Cases to which the Tag is applied. Figure 12 shows a pivot from the Malicious Host Tag node on all Indicator types.
ThreatConnect® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.
20117-12 v.01.A
Was this article helpful?
