An Association is one of the most powerful features in ThreatConnect®. Associating Indicators to Groups empowers an analyst to pivot to any related Group, such as Adversaries, Documents, Threats, etc. Moreover, Indicators can be associated to other Indicators via custom Associations, and users can associate two Groups of the same type (e.g., Documents to Documents).
Navigating to the Associations Card
The Associations card on the Overview tab of the Details screen provides information about an object’s associations.
- From the top navigation bar (Figure 1), place the cursor over BROWSE and then over the INDICATORS or GROUPS option.
- Click on one of the objects (HOST Indicator in this example) to display a results table (Figure 2).
- Click on an entry, and the Details flyout for that entry will appear (Figure 3).
- Click the Details icon at the top right corner of the flyout, and the Overview tab of the Details screen will appear (Figure 4). Alternatively, hover over the object's entry in the table in Figure 2 and click on the Details icon that appears on the right side of its Summary cell to go straight to the Overview tab of the Details screen. Scroll down if necessary to view the Associations card on the right-hand side of the screen.
The Associations Card
The Associations card provides two ways in which to view and track an Indicator’s or Group’s Associations: graph view and table view.
Figure 5 shows the Associations card in graph view for the Host Indicator in the example earlier in this article. All of the objects associated to the Host Indicator are considered first-level associations, because they are directly associated to the Indicator or are other Indicators that are associated to the Indicator via a Group.
NOTE: If the object, or node, labels do not appear, use the + button at the bottom left to zoom in on the graph.
The legend in the bottom left corner is a summary of the main color shade that corresponds to each type of object displayed in the graph. Hover the cursor over the legend to see a detailed breakdown of colors that correspond to each type of Indicator and Group (Figure 6).
If the cursor is hovered over one of the objects in the legend, all objects of that type will be highlighted with an orange border in the graph, as shown in Figure 7 for the Tag object.
Click the pop-out icon at the top right of the card to view the graph in full-screen mode. Use the three buttons at the bottom right corner of the card to zoom the graph to fit in the card, zoom in, and zoom out, respectively.
NOTE: Clicking and holding down the mouse button when the cursor is over empty space on the graph and then moving the mouse will drag the view around. When zoomed in, it is useful to drag the view around to explore areas of the graph that are initially offscreen.
Hovering the cursor over an object highlights the object and all other objects associated to it. For example, Figure 8 shows what the Associations card looks like when the cursor is hovered over the 126.96.36.199 Address Indicator, and Figure 9 shows the card when the cursor is hovered over the badguy.com Host Indicator (i.e., the Indicator that is the subject of the Details Overview screen displaying the Associations card; see Figure 4).
Clicking on the association line between two nodes will bring up an Association Details window for that association. For example, Figure 10 shows the Association Details window that appears when the line between the badguy.com Host Indicator and the Intruder Alert! Intrusion Set Group is clicked.
To dissociate the two objects, click the Dissociate text at the right of the window.
NOTE: This window will not appear for associations involving Tags.
Nodes can be moved around the graph by clicking on them and dragging them to the desired location. The lengths of the connections between nodes can also be adjusted by clicking and dragging the nodes. For example, Figure 11 shows the Associations card after multiple adjustments of this type were made.
NOTE: Adjustments to node length and location will not persist after refreshing or navigating away from the page.
Click on an associated object, and a dropdown menu will appear with three options (Figure 12).
Clicking the View Details option will cause the Details flyout for that object to slide in on the left-hand side of the screen (Figure 13).
Click on options in the Details flyout to continue to explore that object, or click the X at the top right-hand corner of the Details flyout to close it.
Clicking on the Pivot option in Figure 12 will cause a menu listing three object types to appear (Figure 14).
Click on an object type, and the graph will show all objects of that type that are associated to the selected node. More than one object type can be selected by re-opening the menu in Figure 12 and selecting the next type. Figure 15 shows all of the Indicators, Groups, and Tags associated to the My Signature object. These objects are considered second-level associations, because they are two levels of association away from the original object. They can, in turn, be clicked on to explore their details and associated objects.
To hide second-level associated objects, click on the object, choose Pivot from the menu, and select one of the Hide options from the menu that appears (Figure 16).
As more levels of association are explored, the graph will grow such that it can be viewed in its entirety only by zooming out (Figure 17).
Clicking on the Add Association option in Figure 12 will cause a menu listing two object types to appear (Figure 18).
Clicking on the Group option will cause the Group Association window to appear (Figure 19).
If desired, use the Group Type dropdown menu to filter for certain Group types, or use the search bar to narrow down the displayed Groups to those containing a particular string. Select one or more Groups, and then click the SAVE button. The new association will now appear in the graph, as shown in Figure 20 for the My Signature Signature Group, to which an association to the firstname.lastname@example.org Email Address Indicator was added at the bottom right of the card.
Clicking on the Indicator option in Figure 18 will cause the Indicator Association window to appear (Figure 21).
If the desired Indicator already exists within the user’s instance of ThreatConnect, it may be selected from the table provided in the window. If desired, use the Indicator Type dropdown menu to filter for certain Indicator types, or use the search bar to narrow down the displayed Indicators to those containing a particular string. Select one or more Indicators, and then click the SAVE button.
If the desired Indicator does not exist within the user’s instance of ThreatConnect, select the New Indicator(s) radio button at the top left of the window. The window will now display options for entering a new Indicator (Figure 22).
Once one or more Indicators have been added via the Indicator Type section, they will appear in the Associations section. Then, if desired, enter a Description, Tags, Threat Rating, and Confidence Rating for the associated Indicator(s) in the Association Details section, and then click the SAVE button.
Click the Settings icon, and the Settings window will appear (Figure 23).
Toggle the Mouse Scroll Wheel Zooming slider to turn on the capability to zoom the Associations graph by using the mouse scroll wheel or a laptop trackpad’s scroll functionality. Click on the Export Graph text to view a dropdown menu from which the graph can be exported as a PNG file or a JPEG file. Use the ThreatConnect | Cola | Grid options to select the type of layout for the graph. The ThreatConnect and Cola layouts show the object in the center of the display, with associated objects projecting out from it (Figure 5). The ThreatConnect layout is performance optimized and uses webgl, while the Cola layout does not perform as highly, but can be used when webgl is not available. Grid layout shows the object at the top left of the display, with associated objects projecting down and to the right in a gridlike format (Figure 24).
The 1st Level Associations section provides options for the display of objects that are directly associated to the object. Use the checkboxes next to Indicators, Groups, and Tags to determine whether those associated object types will be displayed or not. Use the Association Limits sliders to set the maximum number of associations that will be shown in the graph.
NOTE: The more associations that are shown, particularly for objects that a large number of first-level associations, the less granular the data will appear to be without zooming the graph in significantly.
The display of second-level associations is optional. To add them to the graph, toggle the 2nd Level Associations slider and click the DETAILS text to view options for their display (Figure 25).
In each section, use the checkboxes to determine which types of second-level associations should be displayed, or use the All <Object type> / None header to select all or none of them, respectively. Use the sliders on the right-hand side of the box to set the maximum number of associations of each type that should be displayed. Toggling the slider in the middle to Total indicates that the maximum number of associations set by the sliders on the right will apply to all second-level associations of that type, while toggling the slider to Node indicates that the maximum number of associations set by the sliders on the right will apply per node of that type.
NOTE: The Node setting is useful when there are objects with so many second-level associations that the number of second-level associations shown maxes out, causing some of the objects not to have any second-level associations shown for them. Toggling to Node allows every node (that is, every first-level-associated object) to have the set number of second-level associations shown for it.
NOTE: Any changes made in the Settings window will not occur until the APPLY button is clicked.
NOTE: Multiple levels of pivoting may cause browser performance to decline as more and more nodes are loaded into the graph. In such cases, it is advisable to stop pivoting in order to prevent the browser from slowing further and crashing.
If the number of associations for a particular type exceeds the association limits, a Caution icon will display under the Settings icon, and the legend at the bottom left-hand corner will display a red circle icon with the label “Max Associations Fetched” (Figure 26). As such, all nodes for which the maximum number of associations were fetched will appear with a red circle around them (Figure 27).
Clicking on the Caution icon will open a small window stating that at least one association returned the maximum number of nodes (Figure 28).
Click the ADJUST SETTINGS button, and the Settings window will open, showing Caution icons next to all types of associations for which the association limit was exceeded (Figure 29).
Click the Table text at the top right corner of the Associations card to change the card to table view (Figure 30).
Table view provides respective lists of all associated Groups, Indicators, and Victim Assets. To add a new Association, click the Plus icon next to the type of object to add. A window displaying all available objects of that type (Group in this example) that are not already associated to the object will appear (Figure 31).
Select one or all of the displayed items, or use the Group Type dropdown menu and search box to filter the results before selecting any items. Click the SAVE button to save the selected Associations.
The Associations Tab
The Associations tab of the Details screen for an object displays the object’s first-level associations and provides options for filtering the associated objects and adding an association. Navigate to the Overview tab of the Details screen (Figure 4), and then click the Associations tab. The Associations screen will appear (Figure 32).
Viewing and Filtering Associations
The associated objects provided in the table of the Associations tab are classified by type according to the icon menus in the center. Choosing an item from each menu (e.g., Signatures from the Documents menu) displays only associated objects of that type. Clicking on the menu itself (i.e., clicking on the icon without selecting an item from its menu) displays associated objects of all of the types listed in that menu, as in Figure 32, which lists all Indicators associated with the original Indicator (including custom Indicator-to-Indicator associations and Indicators that are associated to other Indicators via a shared Group).
The table columns depend on the original object type and which menu or menu item has been selected. For example, for an original Indicator object, any Indicators table that is populated with at least one entry has a column with Details icons that, when clicked, provide information about the Group object to which both Indicators (the original Indicator and the associated Indicator) are associated and options to dissociate the original Indicator from the Group (and therefore from all Indicators associated with the Group). For an original Group object, the Indicators tables do not have this icon, but rather a Dissociate link that, when clicked, immediately (i.e., without a request for confirmation) dissociates the Group from the Indicator. As another example, the Reports and Signatures tables have Thumb Up and Thumb Down columns.
For an original Indicator object, the Indicators tables will display a Relation Type menu at the top right of the table, as in Figure 32. This menu allows the user to filter the Indicators shown by type of association (i.e., custom Indicator-to-Indicator association or type of Group through which the Indicator-to-Group-to-Indicator first-level association exists).
Adding an Association
- To add an association, click the + NEW ASSOCIATION button, and the Select an Association window will appear (Figure 33).
- Click on the Select Type dropdown menu, and select the association type to create. Objects that qualify for this association type will be displayed in the table. For example, in Figure 34, Adversary was selected.
- If desired, filter down the results further by entering text in the Fiter box and then pressing Enter or clicking the Search icon (magnifying glass). To clear what has been entered in the Filter box, delete the entered text and then press Enter or click the Search icon.
- Check the box next to the Indicator(s) or Group(s) that will be associated. Anything left unchecked will be ignored.
- Click the SAVE button.
NOTE: Associations can also be added from both graph and table view of the Associations card, as detailed previously in this article.