Analyze entities in a graph

You can load entities in the graph to analyze them, explore relationships, and map the context around potential threats.

Join the dots to build a hypothesis

When you load entities and observables in the graph to analyze them, you are weaving a story to describe the threat scenario under investigation.
A good story needs villains. The cyber crime line of business appeals to a wide range of such characters. Villains have motives and goals they want to achieve.
To attain them, they engage in actions and behaviors that usually damage a third party. Enter the victim.
The outcome of the villain’s tactics, techniques, and procedures to produce the intended effects may be beneficial for the villain and detrimental for the victim.

Now you have the basic elements to build a consistent narrative for a threat scenario:

  • Threat actors apply TTPs to hit a targeted victim, so that they can achieve their intended effects.

  • The actors may leverage existing exploit targets to carry out a series of attacks. Their malicious activities may leave some traces.

  • An analyst on the victim’s side may pick up on those traces and report them to alert the organization.

  • Following up on the report, another analyst may detect them in a log file. However, before the victim can react with appropriate measures and procedures, a security breach occurs.

In most real-life cases, the script that builds the narrative of a threat scenario is fragmented and scattered: you have only a few pieces of the puzzle, and a couple of them possibly belong to a different puzzle altogether.
The graph canvas is the stage where you analyze, reorganize, restructure, assess, test alternatives, and ultimately position all the pieces in place to produce a factual and consistent narrative that can answer these basic questions:

  • What happened?

  • When did it happen?

  • Where did it happen?

  • Why did it happen?

  • Who did it?

  • Why did they do it?

Load related entities and observables

The graph is a powerful toolbox to analyze cyber threat intelligence.
The right-click context menu is your Swiss-Army knife to load entities, discover relationships, enrich entities, group and ungroup them.
Grayed-out options in the menu are disabled for the selected item.

Select Load entities to load entities that are directly related to the entity you right-clicked on.
For example, because they share common information such as one or more IP addresses, or target email addresses, and so on.
From the Load entities submenu, you can choose whether you want to load all related entities, or only specific related entity types.

Select Load observables to load any observables related to the entity you right-clicked on.
For example, an IP address, or an email address related to the entity.
From the Load observables submenu, you can choose whether you want to load all related observables, or only specific related observable types.

Select Load entities by observable to load entities that are indirectly related to the entity you right-clicked on through one intermediate observable node.
From the Load entities by observable submenu, you can choose whether you want to load indirectly related entities based on all the available observables, or only on specific observable types.

The maximum amount of relationships a graph query returns is capped at max. 500.
When a query response returns more than 500 results, a dialog informs you about the limit, and it allows you to either cancel the query, or continue running it with a new cap at 5000 results in total.
If you query multiple nodes, any nodes returning more than 500 relationships are automatically filtered out from the results.

Enrich entities and observables on the fly:
Select Enrichment to manually trigger enricher tasks on the entity or observable you right-clicked on. Any new enrichment observables are automatically loaded in the graph.
The Enrichment submenu enables you to apply granular control to the scope of the enrichment.
Click one of the available options to:

  • Enrich all the selected entities and observables with all applicable enrichers

  • Enrich only the selected entities with all applicable enrichers

  • Enrich only the selected observables with all applicable enrichers

  • Apply a specific enricher from the list to all the selected entities and observables.

Discover connections between nodes

  1. CTRL + click two nodes in the graph to select them.

  2. Right-click either of the selected nodes.

  3. From the context menu, select Find path or Show path.

  4. If a path does exist, the selected nodes and all the intermediate ones are highlighted in the graph to show the path that links them.

    • Find path: queries the graph server to ask if there is a connection between the two selected nodes in the graph.
      If a connection does exist, the command loads any intermediate nodes, and then it highlights the connecting path.
      It differs from Show path because it first checks the existence of the path in the graph database.

    • Show path: highlights the shortest relationship path linking two nodes loaded in the graph.
      It differs from Find path because it does not check the existence of a path; it simply highlights the shortest path, if it exists in the graph.

Add entities to a dataset

You can optionally assign entities to an existing workspace. This option only applies to entities, not observables.

  1. Right-click on the node you want to add to a dataset, or select multiple nodes and right-click on one of them.

  2. From the context menu, select Add to dataset.
    A pop-up is displayed.

  3. From the Workspace drop-down menu, select a workspace.

  4. If the workspace already contains a dataset, you can select this dataset from the Dataset drop-down menu.
    If the workspace does not contain a dataset, the Dataset field is automatically set to Create new dataset, and in the New dataset name field, you can fill in a name for the new dataset.

  5. Click Add to dataset.

Create user tasks around entities

You can create an actionable task related to selected entities.
You can then assign the task to a user, and to one or more stakeholders.

  1. Right-click on the node you want to add to a dataset, or select multiple nodes and right-click on one of them.

  2. From the context menu, select Create task.
    A pop-up is displayed.

  3. In the Name field, fill in a name for the task.

  4. In the Description field, fill in a description or add additional information.

  5. From the Assigned to drop-down, select the person you want to set this task to, and click Assign.

  6. From the Due date drop-down calendar, select a due date.

  7. In the bottom-left corner, you can click Show options to assign the task to a specific workspace.

  8. Click Save.

Group entities

  1. CTRL + click the nodes in the graph you want to group together.

  2. Right-click any of the selected nodes.

  3. From the context menu, select Group.
    The selected entities are grouped together.
    This action provides a cleaner view of the graph.

Ungroup entities

  1. Right-click on a created entity group.

  2. From the context menu, select Ungroup.
    The selected entities return to their original position as separate nodes in the graph.

Remove entities from the graph