The Associations Tab

The Associations tab of an object’s Details screen provides options for filtering associated objects, adding associations, and removing associations. Depending on which Details screen version you are viewing, this tab will feature additional functionality. The Associations tab on the new Details screen allows you to view and manage potential associations for an object and create associations automatically using queries written in ThreatConnect Query Language (TQL), and the Associations tab on the legacy Details screen allows you to export associated Indicators.

New Details Screen View

Figure 1 shows the Associations tab of the new Details screen for the Fancy Bear Adversary Group. This tab displays separate cards containing Groups, Indicators, Victim Assets, Artifacts, and Cases associated to the object whose Details screen you are viewing (i.e., the primary object), with the total number of associated objects displayed to the right of the tab’s name. It also display cards containing potentially associated Cases and, for Groups only, Artifacts that you can review and consider adding as associations to the object. If viewing a Group’s Details screen, a card containing TQL queries added to the Group for TQL associations will also be displayed.

You can collapse and expand all cards on the Associations tab by clicking the Collapse All or Expand All button, respectively, above the Groups card. By default, all cards are expanded.

Each card displays its contents in a paginated table. To control which columns are displayed on the table, click the Select columnsbutton at the top right of the card, select or clear the checkbox for each column you want to display or hide, respectively, and click the Apply button. You can also filter objects displayed on each card using the search bar and Filters menu at the top left of the card.

Note

You cannot hide columns that are grayed out in the menu displayed when you click the Select columnsbutton.

TQL Queries

The TQL Queries card, available for Groups only, displays all TQL queries used to create associations for the Group. Queries added to a Group will run automatically based on a schedule configured by your System Administrator (the default schedule is every night at midnight), but you may also run a query manually from the TQL Queries card.

Each time a query added to a Group runs, it creates associations between the Group and objects returned by the query that are not associated to the Group. If cross-owner associations are enabled on your ThreatConnect instance, objects in any owner to which you have access will be associated to the Group; otherwise, only objects in your Organization will be associated to the Group. You may view Groups and Indicators associated to a Group via a TQL query on the Groups and Indicators cards, respectively, of the Associations tab.

The table displayed on the TQL Queries card contains the following columns:

• Name: This column displays the query’s name. To view the query itself, click the arrow to the left of its name. To view the results of the query on the Browse screen in a new browser tab, click View query in browse.
• Type: This column displays the query’s type, which corresponds to the type of objects the query will associate to the Group. At this time, you can add only one Group query and one Indicator query to a single Group object.
• Status: This column displays the query’s status (Enabled or Disabled). If the query has a Disabled status,andicons will be displayed to the left and right, respectively, of the status. To view a tooltip explaining why the query was disabled, hover over one of these icons.

Adding a TQL Query

Click the Add Querybutton at the upper-right corner of the card and then select Group Query or Indicator Query to add a Group or Indicator query, respectively, to the Group. Based on the type of query selected, the Add Group TQL Query (Figure 2) or Add Indicator TQL Query window will be displayed with the Existing Queries option selected, showing all saved TQL queries.

Note

Note: If a Group or Indicator query has been added to the Group, then the Group Query or Indicator Query option, respectively, will be grayed out. Similarly, if the maximum number of queries that can be added to the Group has been reached, then the Add Querybutton will be grayed out.

• Select the query to add to the Group. To view the query itself, click the arrow to the left of its name. To view the results of the query on the Browse screen in a new browser tab, click View query in browse.
• Click the Add Query button. The selected query will be displayed on the TQL Queries card.

To create a new Group or Indicator query, select New Query at the top left of the Add Group TQL Query or Add Indicator TQL Query window, respectively. The window will now display options for creating a new query (Figure 3).

• Query Name: Enter a name for the query.
• TQL Type: The type of object (Group or Indicator) that the query will associate to the Group. The query’s type is based on the option you selected after clicking the Add Querybutton and cannot be changed.
• Query: Enter the query written in TQL. To view a list of TQL operators and parameters in a new browser tab, click the View Full List of Query Commandslink above the Query text box.
  Important

  If you try to create a new query and that query already exists (i.e., it is a saved query), an error message will be displayed at the lower-left corner of the Add Group TQL Query or Add Indicator TQL Query window directing you to use the existing query.
• Click the Add Query button. The newly created query will be displayed on the TQL Queries card and saved to your saved queries list.

Note

The query you enter will not be validated on the Add Group TQL Query window. After adding the query to the Group, it is recommended to click View query in browseto the right of the query’s name on the TQL Queries card and verify that the query functions properly.

Running a TQL Query Manually

To run a query added to a Group manually, click Run Queryin the rightmost column for the query. Messages indicating the status of the query’s execution will be displayed at the lower-left corner of the screen.

Note

If a query has a Disabled status, then the Run Querybutton for that query will be grayed out.

Removing a TQL Query

To remove a query from a Group, click Removein the rightmost column for the query. A message confirming the query removal will be displayed at the lower-left corner of the screen. If you removed a query from a Group by accident, click UNDO in this message to re-add the query to the Group.

Groups

The Groups card displays all Groups associated to the primary object in a paginated table, with the total number of associated Indicators displayed to the right of the card’s header. The table displayed on this card contains the following columns:

• Type: This column displays the Group’s type.
• Name/Summary: The column displays the Group’s summary. To open the Group’s Details screen in the current browser tab or a new one, click its summary or View details in new tab, respectively.
• Owner: This column displays the owner to which the Group belongs.
• Tags: If one or more Tags are applied to the Group, this column will display a count of those Tags; otherwise, no value will be displayed in this column. Click on the number displayed in this column to view the standard Tags and ATT&CK® Tags applied to the Group, as well as links to each Tag’s Details screen.
• Last Modified: This column displays the date when the Group was last modified.
• Date Added: This column displays the date when the Group was created.

Creating an Association

Click the Add Associationbutton at the upper-right corner of the card. The Add Groups window will be displayed (Figure 4), showing all available Groups that are not already associated to the primary object.

• Select one or more Groups to associate to the primary object. If desired, use the Filtersmenu to filter Groups by type, a range of dates within which they were created, or a range of dates within which they were last modified. You can also enter text in the box to the left of the Filtersmenu to filter Groups by summary. If cross-owner associations are enabled on your ThreatConnect instance, you can filter Groups by owner and add associations to Groups in other owners to which you have access. To open a Group’s Details screen in a new browser tab, click the Group’s summary in the Name/Summary column.
• Click the Add Groups button to create associations to the selected Groups.

Removing an Association

To dissociate a Group from the primary object, click Remove  in the rightmost column for the Group.

Viewing CAL Alias Information

If you are viewing the Details screen for a Group and known alias information for the Group exists in CAL™, a CAL Aliases button will be displayed at the upper-right corner of the Groups card, as in Figure 1.

Clicking the CAL Aliases button will display the Groups Via CAL Aliases window, showing one or more Groups belonging to owners you have access to that CAL recommends associating to the Group being viewed (Figure 5). These Groups are recommended as associations because each has a summary that matches a known alias of the Group being viewed.

• Select one or more Groups to associate to the Group being viewed. If desired, use the Filtersmenu to filter Groups by type, a range of dates within which they were created, or a range of dates within which they were last modified. You can also enter text in the box to the left of the Filtersmenu to filter Groups by summary. If cross-owner associations are enabled on your ThreatConnect instance, you can filter Groups by owner and add associations to Groups in other owners to which you have access. To open a Group’s Details screen in a new browser tab, click the Group’s summary in the Name/Summary column.
• Click the Add Groups button to create associations to the selected Groups.

Indicators

The Indicators card displays all Indicators associated to the primary object in a paginated table, with the total number of associated Indicators displayed to the right of the card’s header. The table displayed on this card contains the following columns:

• Type: This column displays the Indicator’s type.
• Name/Summary: The column displays the Indicator’s summary. To open the Indicator’s Details screen in the current browser tab or a new one, click its summary or View details in new tab, respectively.
• Threat Rating: This column displays the Indicator’s Threat Rating, if one has been set for the Indicator.
• Owner: This column displays the owner to which the Indicator belongs.
• Tags: If one or more Tags are applied to the Indicator, this column will display a count of those Tags; otherwise, no value will be displayed in this column. Click on the number displayed in this column to view the standard Tags and ATT&CK Tags applied to the Indicator, as well as links to each Tag’s Details screen.
• Last Modified: This column displays the date when the Indicator was last modified.
• Date Added: This column displays the date when the Indicator was created.

Creating an Association

Click the Add Associationbutton at the upper-right corner of the card. The Add Indicators window will be displayed. If the primary object is an Indicator, the Add Indicators window will look like Figure 6.

• Select an Association Type: Select a custom Indicator-to-Indicator association type. Indicators of the target type that are not associated to the primary object will be displayed.
• Select one or more Indicators to associate to the primary object. If desired, use the Filtersmenu to filter Indicators by a range of dates within which they were created or last modified. You can also enter text in the box to the left of the Select an Association Type dropdown to filter Indicators by summary. If cross-owner associations are enabled on your ThreatConnect instance, you can filter Indicators by owner and add associations to Indicators in other owners to which you have access. To open an Indicator’s Details screen in a new browser tab, click the Indicator’s summary in the Name/Summary column.
• Click the Add Indicators button to create associations to selected Indicators.

If the primary object is a Group, the Add Indicators window will look like Figure 7. By default, the Add Indicators window will be displayed with the Existing Indicators option selected, showing all existing Indicators not associated to the Group. If the desired Indicator exists in an owner to which you have access, keep the selection of Existing Indicators at the top left of the Add Indicators window.

• Select one or more Indicators to associate to the selected Group. If desired, use the Filtersmenu to filter Indicators by type, a range of dates within which they were created, or a range of dates within which they were last modified. You can also enter text in the box to the left of the Filtersmenu to filter Indicators by summary. If cross-owner associations are enabled on your ThreatConnect instance, you can filter Indicators by owner and add associations to Indicators in other owners to which you have access. To open an Indicator’s Details screen in a new browser tab, click the Indicator’s summary in the Name/Summary column.
• Click the Add Indicators button to create associations to selected Indicators.

If the desired Indicator does not exist in an owner to which you have access, select New Indicators at the top left of the Add Indicators window. The window will now display options for creating new Indicators (Figure 8).

• Indicator Type: Select an Indicator type. Available choices include Unknown - (parsed), File, Email Subject, Hashtag, Mutex, Registry Key, and User Agent. The Indicator Type section will display options for entering Indicators of the selected type. If you selected Unknown - (parsed), options to upload a file or enter text to be parsed for Indicators will be displayed, as in Figure 8. After entering the Indicator values or content to be parsed for Indicators, click the + Add button.
  Note

  Parsable Indicator types include Address, Email Address, File, Host, URL, ASN, and CIDR. Custom Indicator types may also be parsed if the following conditions are met:

  • a System Administrator selected the Parsable checkbox when configuring the custom Indicator type;
  • the custom Indicator type accepts a single value;
  • a System Administrator created an import rule for the custom Indicator type.

  For more information on custom Indicator types and Indicator import rules, see the “Custom Indicator Types” and “Indicator Import Rules” sections, respectively, of ThreatConnect System Administration Guide.

  Important

  Indicators included on an Indicator Exclusion List will not be imported or associated to the Group.
• New Indicators to be Associated: This section displays the Indicator(s) that will be created and associated to the Group in a table with the following columns:
  • Type: This column displays the Indicator’s type.
  • Summary: This column displays the Indicator’s summary.
  • Known: This column indicates whether the Indicator exists in the Group's owner.
  • Private: This column will be displayed only if your System Administrator has enabled private Indicators. To mark an Indicator as private, select the corresponding checkbox in the Private column.
  • Actions: To remove an Indicator from the table, click Deletein this column.
• Additional Details (Optional): In this section, you can fill out the following information for all Indicators being created and associated to the Group:
  • Owner: This required field is displayed only if cross-owner associations are enabled on your ThreatConnect instance. Select the owner in which the Indicator(s) will be created. If cross-owner associations are not enabled on your ThreatConnect instance, the Indicator(s) will be created in the owner to which the primary Group object belongs.
  • Description: Enter a Description for the Indicator(s).
  • Tags: Enter Tags to apply to the Indicator(s).
  • Confidence Rating: Use the slider to set the Confidence Rating for the Indicator(s).
  • Threat Rating: Use the skull icons to set the Threat Rating for the Indicator(s).
• Click the Add Indicators button to create the new Indicators and associate them to the primary Group object.

Removing an Association

If the primary object is a Group, click Removein the rightmost column for the Indicator to dissociate it from the Group.

If the primary object is an Indicator, click the horizontal ellipsisin the rightmost column and select Association Details. The Association Details window will be displayed. This window provides an overview of how the Indicator is associated to the primary Indicator (e.g., directly associated via an Indicator-to-Indicator association, indirectly associated via a shared Group association). To dissociate the Indicator from the primary Indicator, click the Remove Association button on the Association Details window.

Victim Assets

The Victim Assets card displays all Victim Assets associated to the primary object in a paginated table, with the total number of associated Victim Assets displayed to the right of the card’s header. The table displayed on this card contains the following columns:

• Type: This column displays the Victim Asset’s type.
• Name/Summary: The column displays the Victim Asset’s summary.
• Victims: This column displays the Victim to which the Victim Asset belongs.

Creating an Association

You can create direct associations only between Groups and Victim Assets. As such, the Add Associationbutton will not be displayed at the upper-right corner of the Victim Assets card if viewing the Details screen for an Indicator.

Click the Add Associationbutton at the upper-right corner of the Victim Assets card. The Add Victim Assets window will be displayed (Figure 9), showing all available Victim Assets that are not already associated to the primary Group object.

• Select one or more Victim Assets to associate to the Group. If desired, use the Filtersmenu to filter Victim Assets by type. You can also enter text in the box to the left of the Filtersmenu to filter Victim Assets by summary.
  Note

  Cross-owner associations are not supported for Victim Assets at this time.
• Click the Add Victim Assets button to create associations to the selected Victim Assets.

Removing an Association

If the primary object is an Indicator, click the horizontal ellipsisin the rightmost column and select Association Details. The Association Details window will be displayed. This window provides an overview of how the Victim Asset is associated to the primary Indicator (i.e., indirectly associated via a shared Group association). To dissociate the Victim Asset from the primary Indicator, click the Remove Association button on the Association Details window.

If the primary object is a Group, the only way you can dissociate the Victim Asset from the Group is by navigating to the Details screen for the Victim to which the Victim Asset belongs and removing the association from the Associated Groups section of the Associations card .

Artifacts

The Artifacts card displays all Artifacts associated to the primary object in a paginated table, with the total number of associated Artifacts displayed to the right of the card’s header. The table displayed on this card contains the following columns:

• Type: This column displays the Artifact’s type.
• Name: This column displays the Artifact’s summary.
• Case: The column displays the Workflow Case to which the Artifact belongs. To open the Case in a new browser tab, click its summary or View details in new tab.
• Analytics Score: This column displays the Artifact’s ThreatAssess assessment level and score.
• Status: For Artifacts that are ThreatConnect Indicator types, this column displays CAL’s assessment of whether the Indicator is an active Indicator of Compromise (IOC) at the current time. If an Artifact is not a ThreatConnect Indicator, or if CAL did not return data identifying whether the Indicator is active or inactive at the current time, then no value will be displayed in this column for the Artifact.
• Date Added: This column displays the date when the Artifact was created.

Creating an Association

Click the Add Associationbutton at the upper-right corner of the card. The Link Artifacts drawer will be displayed (Figure 10), showing all available Artifacts in all of the Workflow Cases in your Organization that are not already associated to the primary object.

Note

The Add Associationbutton will be displayed for Indicators and Groups in an Organization only, as you cannot associate Artifacts to Indicators and Groups in Communities and Sources at this time.

• Select one or more Artifacts to associate to the primary object. If desired, use the FILTERS selector to filter Artifacts by type, or use the search box to filter Artifacts by summary.
• Click the ADD SELECTED button to create associations to the selected Artifacts.

You can also create associations between an Indicator or a Group in your Organization and Artifacts within a Workflow Case via the Case’s Artifacts card. See the “Associated Indicators” and “Associated Groups” sections of Viewing Artifact Details for more information.

Removing an Association

To dissociate an Artifact from the primary object, click Removein the rightmost column for the Artifact.

Cases

The Cases card displays all Workflow Cases associated to the primary object in a paginated table, with the total number of associated Cases displayed to the right of the card’s header. The table displayed on this card contains the following columns:

• ID: This column displays the Case’s ID number.
• Name: This column displays the Case’s name. To open the Case in a new browser tab, click its summary or View details in new tab.
• Assignee: This column displays the user or user group to which the Case is assigned.
• Resolution: This column displays the Case’s resolution.
• Status: This column displays the Case’s status.
• Severity: This column displays the Case’s severity.
• Date Added: This column displays the date when the Case was created.

Creating an Association

Click the Add Associationbutton at the upper-right corner of the card. The Link Cases drawer will be displayed (Figure 11). By default, the Link Cases drawer is displayed with the Existing Cases option selected, showing all Cases in your Organization that are not associated to the primary object. If the desired Case exists in your Organization, keep the selection of Existing Cases at the top left of the Link Cases drawer.

Note

The Add Associationbutton will be displayed for Indicators and Groups in an Organization only. To create an association between a Case and an Indicator or Group in a Community or Source, navigate to the Case’s Associations card and create the association from there.

• Select one or more Cases to associate to the primary object. If desired, use the FILTERS selector to filter Cases by severity, resolution, status, assignee, or a range of dates within which they were created. You can also use the search box to the right of the FILTERS selector to filter Cases by name.
• Click the ADD SELECTED button to create associations to the selected Cases.

If the desired Case does not exist in your Organization, select New Case at the top left of the Link Cases drawer. The drawer will now display options for creating a new Case (Figure 12).

• See Creating Cases for descriptions of each option on this drawer.
• Click the SAVE button to create the new Case and associate it to the primary object.

You can also create associations between an Indicator or a Group and Workflow Cases via a Case’s Associations card. See the “Indicators” and “Groups” sections of Associations Card for Cases for more information.

Removing an Association

To dissociate a Case from the primary object, click Removein the rightmost column for the Case.

Potential Associations

The Potential Associations card displays Cases and, for Groups only, Artifacts suggested as associations that you may want to add to the primary object.

Viewing Potentially Associated Artifacts

The Artifacts sub-card, available for Groups only, displays Artifacts that match the summary (i.e., name) and type of an Indicator associated to the Group.

For example, consider a Group associated to the superbadguy.com Host Indicator. If there is an Artifact with the same summary and type as that Indicator added to a Workflow Case in your Organization, and the Use to potentially associate cases. checkbox has been selected for the Artifact, then that Artifact will be displayed on the Artifacts sub-card. You can then consider this connection, click on the name of the Case to which the Artifact belongs to investigate further, and decide whether to add the Artifact as an association.

Viewing Potentially Associated Cases

For Groups, the Cases sub-card displays Cases containing Artifacts that match the summary and type of an associated Indicator; for Indicators, the Cases sub-card displays Cases containing Artifacts that match the summary and type of the Indicator whose Details screen you are viewing.

Continuing from the example in the previous section, if a Group is associated to the superbadguy.com Host Indicator and there is a Case that contains an Artifact with the same summary and type and for which the Use to potentially associate cases. checkbox has been selected, then that Case will be displayed on the Cases sub-card.

Creating an Association

To add a potentially associated Artifact or Case as an association to the primary object, click the Add Associationbutton in the rightmost column for the Artifact or Case. After a potentially associated Artifact or Case is added as an association to the primary object, it will be removed from the Potential Associations card. If at any point you dissociate an Artifact or Case that was suggested as a potential association from the primary object, it will be readded to the Artifacts or Cases sub-card, respectively.

Note

The Add Associationbutton will be displayed for Indicators and Groups in an Organization only. To associate a potentially associated Case to an Indicator or Group in a Community or Source, navigate to the Case’s Potential Associations card and create the association from there. You cannot associate potentially associated Artifacts to Groups in Communities and Sources, as cross-owner associations are not supported for Artifacts at this time.

Legacy Details Screen View

Figure 13 shows the Associations tab of the legacy Details screen for the superbadguy.com Host Indicator. In addition to being able to filter associated objects and add and remove associations, you can export associated objects to a CSV file on the Associations tab of the legacy Details screen.

Viewing and Filtering Associations

The associated objects provided in the table of the Associations tab are classified by type according to the icon menus in the center. Choosing an item from each menu (e.g., Signatures from the Documents menu) displays only associated objects of that type. Clicking on the menu itself (i.e., clicking on the icon without selecting an item from its menu) displays associated objects of all of the types listed in that menu, as in Figure 13, which lists all Indicators associated with the primary Indicator, including custom Indicator-to-Indicator associations, Indicators that are associated to the primary Indicator by a DNS resolution or a File action (File Archive, File Drop, or File Traffic), and Indicators that are associated to the primary Indicator via a shared Group.

The table columns depend on the type of primary object and which menu or menu item has been selected. For example, for a primary Indicator object, any Indicators table that is populated with at least one entry has a column with Detailsicons that, when clicked, provide information about the Group object to which both Indicators (the primary Indicator and the associated Indicator) are associated and options to dissociate the primary Indicator from the Group (and therefore from all Indicators associated with the Group). For a primary Group object, the Indicators tables do not have this icon, but rather a Dissociate link that, when clicked, immediately (i.e., without a request for confirmation) dissociates the Group from the Indicator. As another example, the Reports and Signatures tables have Intel Rating (Thumbs Up and Thumbs Down) columns.

For a primary Indicator object, the Indicators tables will display a Relation Type menu at the top right of the table, as in Figure 13. This menu allows you to filter the Indicators shown by type of association (i.e., custom Indicator-to-Indicator association, DNS resolution, type of File action, or type of Group through which the Indicator-to-Group-to-Indicator first-level association exists).

Adding an Association

1. Click the +NEW ASSOCIATION button in Figure 13. The Select an Association window will be displayed (Figure 14).

   

    

2. Use the Select Type dropdown menu to select the association type to create. Objects that qualify for this association type will be displayed in the table. For example, in Figure 15, Adversary was selected.

   

    

3. Select the Indicator(s) or Group(s) to associate to the primary object. If desired, use the Filter box to filter Indicators or Groups displayed in the table.
   Important

   When searching for file hashes, the Filter box performs a case-sensitive search. For example, a search for the file hash “0413F832D8161187172AEF7A769586515F969479” will not return “0413f832d8161187172aef7a769586515f969479” as a result.
4. Click the SAVE button.
   Note

   You can also add associations from both the graph view and table view of the Associations card on the Overview tab of the legacy Details screen.

Exporting Associated Objects

Click on the EXPORT dropdown menu at the lower-left corner of the screen (Figure 13) and select the ThreatConnect CSV option. The Export Data window will be displayed (Figure 16).

• Clear the checkbox(es) for any field(s) that should not be included in the CSV file.
• Click the EXPORT button. The CSV file will download to your computer.

ThreatConnect^® is a registered trademark of ThreatConnect, Inc.
MITRE ATT&CK^® and ATT&CK^® are registered trademarks of The MITRE Corporation.

20076-13 v.12.A