An association is one of the most powerful features in ThreatConnect®. Associating Indicators to Groups empowers an analyst to pivot to any related Group, such as Adversaries, Documents, Threats, etc. Moreover, Indicators can be associated to other Indicators via custom associations, and users can associate two Groups of the same type (e.g., Documents to Documents).
Navigating to the Associations Card
The Associations card on the Overview tab of the Details screen provides information about an object’s associations.
- From the top navigation bar (Figure 1), place the cursor over Browse and then over the Indicators or Groups option.
- Click on one of the objects (Host Indicator in this example) to display a results table (Figure 2).
- Click on an entry, and the Details drawer for that entry will be displayed (Figure 3).
- Click the Details icon at the top right corner of the drawer, and the Overview tab of the Details screen will be displayed (Figure 4). Alternatively, hover over the object's entry in the table in Figure 2 and click on the Details icon that appears on the right side of its Summary cell to go straight to the Overview tab of the Details screen. Scroll down if necessary to view the Associations card on the right-hand side of the screen.
The Associations Card
The Associations card provides two ways in which to view and track an Indicator’s or Group’s associations: graph view and table view.
Figure 5 shows the Associations card in graph view for the Host Indicator in the example earlier in this article. All of the objects associated to the primary object (i.e., the object that is the subject of the Details screen and the central node of the associations graph) are considered first-level associations, because they are directly associated to the primary object or are associated via a Group.
NOTE: Some of the associated objects may actually be associated to an object of the same name in a different owner rather than to the primary object itself. For example, in Figure 5, the Host Indicator badguy.com is owned by Demo Organization (as shown at the top right of Figure 4), but some of the objects associated to it, like the My Signature Group object, have a different owner (in this case, Demo Community) and are associated to a badguy.com Host Indicator in Demo Community rather than to the badguy.com Host Indicator in Demo Organization. To get a clearer picture of the owner of each associated object, switch to table view (see the “Table View” section later in this article), which includes a column displaying the owner for each associated object.
NOTE: If the object, or node, labels do not appear, use the + button at the bottom left to zoom in on the graph.
The legend in the bottom left corner is a summary of the main color shade that corresponds to each type of object displayed in the graph. Hover the cursor over the legend to see a detailed breakdown of colors that correspond to each type of Indicator and Group (Figure 6).
If the cursor is hovered over one of the objects in the legend, all objects of that type will be highlighted with an orange border in the graph, as shown in Figure 7 for the Adversary object.
Click the Expand icon at the top right of the card to view the graph in full-screen mode and then, when in full-screen mode, the Collapse icon to exit from full-screen mode. Use the three buttons at the bottom right corner of the card to zoom the graph to fit in the card, zoom in, and zoom out, respectively.
NOTE: Clicking and holding down the mouse button when the cursor is over empty space on the graph and then moving the mouse will drag the view around. When zoomed in, it is useful to drag the view around to explore areas of the graph that are initially offscreen.
Hovering the cursor over an object highlights the object and all other objects associated to it. For example, Figure 8 shows what the Associations card looks like when the cursor is hovered over the Bad Guy Adversary Indicator, and Figure 9 shows the card when the cursor is hovered over the badguy.com Host Indicator (i.e., the Indicator that is the subject of the Details Overview screen displaying the Associations card; see Figure 4).
Clicking on the association line between two nodes will bring up an Association Details window for that association. For example, Figure 10 shows the Association Details window that is displayed when the line between the badguy.com Host Indicator and the Bad Guy Adversary Group is clicked.
To dissociate the two objects, click the Dissociate text at the right of the window. This option is not available for objects in a different owner that are associated to an object with the same name as that of the primary object in their owner, as described in the note before Figure 5. Changes to these kinds of associations must be made when viewing the object of the same name in the other owner.
NOTE: This window will not be displayed for associations involving Tags.
NOTE: If an Indicator-to-Indicator association has been created by a DNS resolution or File action (File Archive, File Drop, or File Traffic), then the window that appears when its association line is clicked on will display a message of “No additional details” in the table.
Nodes can be moved around the graph by clicking on them and dragging them to the desired location. The lengths of the connections between nodes can also be adjusted by clicking and dragging the nodes. For example, Figure 11 shows the Associations card after multiple adjustments of this type were made.
NOTE: Adjustments to node length and location will not persist after refreshing or navigating away from the page.
Click on an associated object, and a dropdown menu with three options will be displayed (Figure 12).
Clicking the View Details option will cause the Details drawer for that object to slide in on the left-hand side of the screen (Figure 13).
NOTE: Clicking on the View Details option for a Tag will display a menu listing all Organizations, Communities, and Sources which use that Tag. Select one of the options, and the Details drawer for the Tag in that owner will be displayed.
Click on options in the Details drawer to continue to explore that object, or click the X at the top right-hand corner of the Details drawer to close it.
Clicking on the Pivot option in Figure 12 will cause a menu listing three object types to be displayed (Figure 14).
Click on an object type, and the graph will show all objects of that type that are associated to the selected node. More than one object type can be selected by re-opening the menu in Figure 12 and selecting the next type. Figure 15 shows all of the Indicators, Groups, and Tags associated to the Bad Guy Adversary object. These objects are considered second-level associations, because they are two levels of association away from the primary object. They can, in turn, be clicked on to explore their details and associated objects.
To hide second-level associated objects, click on the object, choose Pivot from the menu, and select one of the Hide options from the menu that is displayed (Figure 16).
As more levels of association are explored, the graph will grow such that it can be viewed in its entirety only by zooming out (Figure 17).
From graph view, associations may be added to the object itself or to associated objects that have the same owner as that of the primary object. Clicking on the Add Association option in Figure 12 will display a menu listing two object types (Figure 18).
Clicking on the Group option will cause the Group Association window to be displayed (Figure 19).
If desired, use the Group Type dropdown menu to filter for certain Group types, or use the search bar to narrow down the displayed Groups to those containing a particular string. Select one or more Groups, and then click the SAVE button. The new association will now be displayed in the graph, as shown in Figure 20 for the Bad Guy Adversary Group, to which an association to the Sample Report Report Group was added at the bottom of the card.
NOTE: The Group Association window will open for objects in a different owner that are associated to an object with the same name as that of the primary object in their owner (see the note under Figure 5 for more details), and objects may be selected from that window, but the SAVE button will be disabled. Associations to these objects must be made when viewing the object of the same name in the other owner.
Clicking on the Indicator option in Figure 18 will cause the Indicator Association window to be displayed (Figure 21).
If the desired Indicator already exists within the primary object's owner, it may be selected from the table provided in the window when the Existing Indicator(s) radio button at the top left is selected. Use the Indicator Type dropdown menu to filter for certain Indicator types, or use the search bar to narrow down the displayed Indicators to those containing a particular string. Select one or more Indicators, and then click the SAVE button.
NOTE: The Indicator Association window will open for objects in a different owner that are associated to an object with the same name as that of the primary object in their owner (see the note under Figure 5 for more details), and objects may be selected from that window, but the SAVE button will be disabled. Associations to these objects must be made when viewing the object of the same name in the other owner, or they may be associated to new objects that are created via the New Indicator(s) radio button, as described next.
If the desired Indicator does not exist within the primary object's owner, select the New Indicator(s) radio button at the top left of the window. The window will now display options for entering a new Indicator (Figure 22).
Once one or more Indicators have been added via the Indicator Type section, they will be displayed in the Associations section. Then, if desired, enter a Description, Tags, Threat Rating, and Confidence Rating for the associated Indicator(s) in the Association Details section, and then click the SAVE button.
NOTE: If the associated object to which a new Indicator association is being added is not in the primary object’s owner, but rather is associated to an object of the same name in a different owner, then the new Indicator will be created in the associated object’s owner, not the primary object’s owner.
From the Associations card in graph view, click the Settings icon, and the Settings window will be displayed (Figure 23).
Toggle the Mouse Scroll Wheel Zooming slider to turn on the capability to zoom the associations graph by using the mouse scroll wheel or a laptop trackpad’s scroll functionality. Click on the Export Graph text to view a dropdown menu from which the graph can be exported as a PNG file or a JPEG file. Use the ThreatConnect | Cola | Grid options to select the type of layout for the graph. The ThreatConnect and Cola layouts show the object in the center of the display, with associated objects projecting out from it (Figure 5). The ThreatConnect layout is performance optimized and uses webgl, while the Cola layout does not perform as highly, but can be used when webgl is not available. Grid layout shows the object at the top left of the display, with associated objects projecting down and to the right in a gridlike format (Figure 24).
The 1st Level Associations section provides options for the display of objects that are directly associated to the object. Use the checkboxes next to Indicators, Groups, and Tags to determine whether those associated object types will be displayed or not. Use the Association Limits sliders to set the maximum number of associations that will be shown in the graph.
NOTE: The more associations that are shown, particularly for objects that a large number of first-level associations, the less granular the data will appear to be without zooming the graph in significantly.
The display of second-level associations is optional. To add them to the graph, toggle the 2nd Level Associations slider and click the DETAILS text to view options for their display (Figure 25).
In each section, use the checkboxes to determine which types of second-level associations should be displayed, or use the All <Object type> / None header to select all or none of them, respectively. Use the sliders on the right-hand side of the box to set the maximum number of associations of each type that should be displayed. Toggling the slider in the middle to Total indicates that the maximum number of associations set by the sliders on the right will apply to all second-level associations of that type, while toggling the slider to Node indicates that the maximum number of associations set by the sliders on the right will apply per node of that type.
NOTE: The Node setting is useful when there are objects with so many second-level associations that the number of second-level associations shown maxes out, causing some of the objects not to have any second-level associations shown for them. Toggling to Node allows every node (that is, every first-level-associated object) to have the set number of second-level associations shown for it.
NOTE: Any changes made in the Settings window will not occur until the APPLY button is clicked.
NOTE: Multiple levels of pivoting may cause browser performance to decline as more and more nodes are loaded into the graph. In such cases, it is advisable to stop pivoting in order to prevent the browser from slowing further and crashing.
If the number of associations for a particular type exceeds the association limits, a Caution icon will display under the Settings icon, and the legend at the bottom left-hand corner will display a red circle icon with the label “Max Associations Fetched” (Figure 26). As such, all nodes for which the maximum number of associations were fetched will be displayed with a red circle around them (Figure 27).
Clicking on the Caution icon will open a small window stating that at least one association returned the maximum number of nodes (Figure 28).
Click the ADJUST SETTINGS button, and the Settings window will open, showing orange Caution icons next to all types of associations for which the association limit was exceeded (Figure 29).
Click the Table text at the top right corner of the Associations card to change the card to table view (Figure 30). The most recently selected view (graph or table) will be retained as the user default.
Table view provides respective lists of all associated Groups, Indicators, and Victim Assets. The Owner column can be used to determine whether an associated object is associated to the primary object or to an object with the same name as that of the primary object in a different owner, because in the latter case, the associated object will have a different owner than that of the primary object. See the note before Figure 5 for more information.
To add a new association, click the Plus icon next to the type of object to add. A window displaying all available objects of that type (Group in this example) that have the same owner and that are not already associated to the object will appear (Figure 31).
Select one or all of the displayed items, or use the Group Type dropdown menu and search box to filter the results before selecting any items. Click the SAVE button to save the selected associations.
NOTE: Second-level associations (i.e., associations to associated objects) may be added only via the Add Association option in graph view, as described earlier in this article.
The Associations Tab
The Associations tab of the Details screen for an object displays the object’s first-level associations and provides options for filtering the associated objects and adding an association. Navigate to the Overview tab of the Details screen (Figure 4), and then click the Associations tab. The Associations screen will be displayed (Figure 32).
Viewing and Filtering Associations
The associated objects provided in the table of the Associations tab are classified by type according to the icon menus in the center. Choosing an item from each menu (e.g., Signatures from the Documents menu) displays only associated objects of that type. Clicking on the menu itself (i.e., clicking on the icon without selecting an item from its menu) displays associated objects of all of the types listed in that menu, as in Figure 32, which lists all Indicators associated with the primary Indicator, including custom Indicator-to-Indicator associations, Indicators that are associated to the primary Indicator by a DNS resolution or a File action (File Archive, File Drop, or File Traffic), and Indicators that are associated to the primary Indicator via a shared Group.
The table columns depend on the type of primary object and which menu or menu item has been selected. For example, for a primary Indicator object, any Indicators table that is populated with at least one entry has a column with Details icons that, when clicked, provide information about the Group object to which both Indicators (the primary Indicator and the associated Indicator) are associated and options to dissociate the primary Indicator from the Group (and therefore from all Indicators associated with the Group). For a primary Group object, the Indicators tables do not have this icon, but rather a Dissociate link that, when clicked, immediately (i.e., without a request for confirmation) dissociates the Group from the Indicator. As another example, the Reports and Signatures tables have Thumb Up and Thumb Down columns.
For a primary Indicator object, the Indicators tables will display a Relation Type menu at the top right of the table, as in Figure 32. This menu allows the user to filter the Indicators shown by type of association (i.e., custom Indicator-to-Indicator association, DNS resolution, type of File action, or type of Group through which the Indicator-to-Group-to-Indicator first-level association exists).
Adding an Association
- To add an association, click the + NEW ASSOCIATION button, and the Select an Association window will be displayed (Figure 33).
- Click on the Select Type dropdown menu, and select the association type to create. Objects that qualify for this association type will be displayed in the table. For example, in Figure 34, Adversary was selected.
- If desired, filter down the results further by entering text in the Filter box and then pressing Enter or clicking the Search icon (magnifying glass). To clear what has been entered in the Filter box, delete the entered text and then press Enter or click the Search icon.
NOTE: The Filter box is case sensitive. For example, a search for the file hash “0413F832D8161187172AEF7A769586515F969479” will not provide “0413f832d8161187172aef7a769586515f969479” as a result.
- Check the box next to the Indicator(s) or Group(s) that will be associated. Anything left unchecked will be ignored.
- Click the SAVE button.
NOTE: Associations can also be added from both graph and table view of the Associations card, as detailed previously in this article.