Filter entities with histogram

You can filter entities and observables in a Graph using the histogram filter. This allows you to to isolate specific subsets, based on shared properties and attributes.

When you analyze entities and observables on the graph canvas to explore relationships and to, almost literally, join the dots you may want to apply quick filters to the elements on the graph without having to move them around or temporarily remove them.

At the top right corner of a graph, select the filter icon images/download/attachments/3604538/filter.PNG to open the histogram pane.

You can select one or more options by clicking the corresponding checkbox:

  • Select a checkbox to display nodes with the corresponding property or attribute.

  • Deselect a checkbox to hide nodes with the corresponding property or attribute.

  • By default, all checkboxes are selected and all the nodes and the relationships loaded on the graph are visible.

The histogram pane makes available many ready-to-use filters. You can stack and combine filters as you need. See the table below for their specific functionalities.

Category

Checkbox

Definition


Show singletons

Click the toggle switch to show or hide singleton nodes.
Singletons are isolated nodes with no relationships with any other nodes.


Show external references

Click the toggle switch to show or hide external references.
External references point to entities or observables that are referenced, but not ingested and available in Intelligence Center.

Entity type

Multi-type-group

Select this checkbox to view grouped entities containing mixed entity types.

Select one or more options in this category to view specific entity types.

Observable type


Select one or more options in this category to view specific observable types.

Sources

Missing source

Select this checkbox to view entities and observables that are not associated with any data source.

Select one or more options in this category to view entities and observables ingested from specific data sources, that is, incoming feeds and enrichers.

TLP

Missing TLP

Select this checkbox to view entities with no TLP flag.

Select one or more options in this category to view entities flagged with the specified TLP color codes.

For example, you can use this filter to include in the resulting graph view only entities flagged as reserved, or that require immediate action.

Source reliability

Missing source reliability

Select this checkbox to view entities and observables that are not associated with any data source.

Select one or more options in this category to view entities and observables flagged with the specified source reliability value.
For example, you can use this filter to include in the resulting graph view only entities and observables originating from trustworthy data sources.

Confidence

Missing confidence

Select this checkbox to view entities whose confidence level is not set.

Select one or more options in this category to view entities and observables flagged with the specified level of confidence; it flags the estimated level of confidence to assess the accuracy and trustworthiness of the entity information.

Observable classification

Missing observable classification

Select this checkbox to view entities and observables whose maliciousness confidence level is not set.

Select one or more options in this category to view observables flagged with the specified level of maliciousness.
For example, you can use this filter to include in the resulting graph view only observable flagged as Bad.


Bad

Select this checkbox to view observables whose maliciousness confidence level is set to Malicious - High confidence, Malicious - Medium confidence, or Malicious - Low confidence.

Select one or more options in this category to view observables flagged with the specified level of maliciousness.
For example, you can use this filter to include in the resulting graph view only observable flagged as Bad.


Good

Select this checkbox to view observables marked as Safe.

Select one or more options in this category to view observables flagged with the specified level of maliciousness.
For example, you can use this filter to include in the resulting graph view only observable flagged as Bad.

Tags

Without tags

Select this checkbox to view untagged entities.

Select one or more options in this category to view entities flagged with the specified tags.
For example, you can use this filter to include in the resulting graph view only entities with specific Admiralty codes or kill chain values.