An Association is one of the most powerful features in ThreatConnect®. Associating Indicators to Groups empowers an analyst to pivot to any related Group, such as Adversaries, Documents, Threats, etc. Moreover, Indicators can be associated to other Indicators via custom Associations, and users can associate two Groups of the same type (e.g., Documents to Documents).
Creating an Association
- From the top navigation bar (Figure 1), place the cursor over BROWSE and then over the INDICATORS or GROUPS option.
- Click on one of the objects (HOST Indicator in this example) to display a results table (Figure 2).
- Click on an entry, and the Details window for that entry will appear (Figure 3).
- Click the Details icon at the top right corner of the window, and the Overview tab of the Details screen will appear (Figure 4).
- Click the Associations tab, and the Associations screen will appear (Figure 5).
- Click the + NEW ASSOCIATION button, and the Select an Association window will appear (Figure 6).
- Click on the Select Type drop-down menu, and select an Indicator or Group type.
- In the Filter box, enter the name of the Indicator or Group.
- Click the Search icon (magnifying glass), and all Indicators or Groups matching the criteria will display in the table below.
- Check the box next to the Indicator(s) or Group(s) that will be associated. Anything left unchecked will be ignored.
- Click the SAVE button.
The Associations Card
The Associations card on the Overview tab of the Details screen provides two ways in which to view and track an Indicator or Group’s Associations: Graph view and Table view.
Figure 7 shows the Associations card in Graph view for the Host Indicator in the example earlier in this article. All of the objects associated to the Host Indicator are considered first-level associations, because they are directly associated to the Indicator.
NOTE: If the object, or node, labels do not appear, use the + button at the bottom left to zoom in on the graph.
The legend in the bottom left corner is a summary of the main color shade that corresponds to each type of object displayed in the graph. Hover the cursor over the legend to see a detailed breakdown of colors that correspond to each type of Indicator and Group (Figure 8).
If the cursor is hovered over one of the objects in the legend, all objects of that type will be highlighted with an orange border in the graph, as shown in Figure 9 for the Tag object.
Click the pop-out icon at the top right of the card to view the graph in full-screen mode. Use the three buttons at the bottom right corner of the card to zoom the graph to fit in the card, zoom in, and zoom out, respectively.
NOTE: When zoomed in, it is useful to hold down the mouse button and drag the view around to explore areas of the graph that are initially offscreen.
Hovering the cursor over an object highlights the object and all other objects associated to it. For example, Figure 10 shows what the Associations card looks like when the cursor is hovered over the “18.104.22.168” Address Indicator, and Figure 11 shows the card when the cursor is hovered over the “22.214.171.124” Address Indicator (i.e., the Indicator that is the subject of the Details Overview screen displaying the Associations card; see Figure 4).
Nodes can be moved around the graph by clicking on them and dragging them to the desired location. The lengths of the connections between nodes can also be adjusted by clicking and dragging the nodes. For example, Figure 12 shows the Associations card after multiple adjustments of this type were made.
NOTE: Adjustments to node length and location will not persist after refreshing or navigating away from the page.
Click on an associated object, and a dropdown menu will appear with two options (Figure 13).
Clicking the View Details option will cause the Details window for that object to slide in on the left-hand side of the screen (Figure 14).
Click on options in the Details window to continue to explore that object, or click the X at the top right-hand corner of the Details window to close it.
Clicking on the Pivot option in Figure 13 will cause a menu listing three object types to appear (Figure 15).
Click on an object type, and the graph will show all objects of that type that are associated to the selected node. More than one object type can be selected by re-opening the menu in Figure 13 and selecting the next type. Figure 16 shows all of the Indicators, Groups, and Tags associated to the “My Signature” object. These objects are considered second-level associations, because they are two levels of association away from the original object. They can, in turn, be clicked on to explore their details and associated objects.
To hide second-level associated objects, click on the object, choose Pivot from the menu, and select one of the Hide options from the menu that appears (Figure 17).
As more levels of association are explored, the graph will grow such that it can be viewed in its entirety only by zooming out (Figure 18).
Click the Settings icon, and the Settings window will appear (Figure 19).
Toggle the Mouse Scroll Wheel Zooming slider to turn on the capability to zoom the Associations graph by using the mouse scroll wheel or a laptop trackpad’s scroll functionality. Click on the Export Graph text to view a dropdown menu from which the graph can be exported as a PNG file or a JPEG file. Use the ThreatConnect | Cola | Grid options to select the type of layout for the graph. The ThreatConnect and Cola layouts show the object in the center of the display, with associated objects projecting out from it (Figure 7). The ThreatConnect layout is performance optimized and uses webgl, while the Cola layout does not perform as highly, but can be used when webgl is not available. Grid layout shows the object at the top left of the display, with associated objects projecting down and to the right in a gridlike format (Figure 20).
The 1st Level Associations section provides options for the display of objects that are directly associated to the object. Use the checkboxes next to Indicators, Groups, and Tags to determine whether those associated object types will be displayed or not. Use the Association Limits sliders to set the maximum number of associations that will be shown in the graph.
NOTE: The more associations that are shown, particularly for objects that a large number of first-level associations, the less granular the data will appear to be without zooming the graph in significantly.
The display of second-level associations is optional. To add them to the graph, toggle the 2nd Level Associations slider and click the DETAILS text to view options for their display (Figure 13).
In each section, use the checkboxes to determine which types of second-level associations should be displayed, or use the All <Object type> / None header to select all or none of them, respectively. Use the sliders on the right-hand side of the box to set the maximum number of associations of each type that should be displayed. Toggling the slider in the middle to Total indicates that the maximum number of associations set by the sliders on the right will apply to all second-level associations of that type, while toggling the slider to Node indicates that the maximum number of associations set by the sliders on the right will apply per node of that type.
NOTE: The Node setting is useful when there are objects with so many second-level associations that the number of second-level associations shown maxes out, causing some of the objects not to have any second-level associations shown for them. Toggling to Node allows every node (that is, every first-level-associated object) to have the set number of second-level associations shown for it.
NOTE: Any changes made in the Settings window will not occur until the APPLY button is clicked.
NOTE: Multiple levels of pivoting may cause browser performance to decline as more and more nodes are loaded into the graph. In such cases, it is advisable to stop pivoting in order to prevent the browser from slowing further and crashing.
If the number of associations for a particular type exceeds the association limits, a Caution icon will display under the Settings icon, and the legend at the bottom left-hand corner will display a red circle icon with the label “Max Associations Fetched” (Figure 22). As such, all nodes for which the maximum number of associations were fetched will appear with a red circle around them (Figure 23).
Clicking on the Caution icon will open a small window stating that at least one association returned the maximum number of nodes (Figure 24).
Click the ADJUST SETTINGS button, and the Settings window will open, showing Caution icons next to all types of associations for which the association limit was exceeded.
Click the Table text at the top right corner of the Associations card to change the card to Table view (Figure 26).
Table view provides respective lists of all associated Groups, Indicators, and Victim Assets. To add a new Association, click the Plus icon next to the type of object to add. A window displaying all available objects of that type (Group in this example) that are not already associated to the object will appear (Figure 27).
Select one or all of the displayed items, or use the Group Type dropdown menu and search box to filter the results before selecting any items. Click the SAVE button to save the selected Associations.