Filter entities with the histogram

When you analyze entities and observables on the graph canvas to explore relationships and to, almost literally, join the dots you may want to apply quick filters to the elements on the graph without having to move them around or temporarily remove them.

The histogram helps you filter and visually isolate specific subsets of the elements on the graph, based on shared/common properties and attributes.
In the top navigation bar, click images/download/attachments/3604538/filter.PNG .
You can select one or more options by clicking the corresponding checkbox:

  • Select a checkbox to display nodes with the corresponding property or attribute.

  • Deselect a checkbox to hide nodes with the corresponding property or attribute.

  • By default, all checkboxes are selected, that is, nothing is filtered out, and all the nodes and the relationships loaded on the graph are visible.

The histogram pane makes available many ready-to-use filters. You can stack and combine filters as you need.

  • Show singletons: select this checkbox to view singleton nodes. They are isolated nodes with no relationships to any other nodes.

  • Show external references: select this checkbox to see external references of the entities.

  • Entity type: select one or more options in this category to view specific entity types.

    • Multi-type-group: select this checkbox to view grouped entities containing mixed entity types.

  • Observable type: select one or more options in this category to view specific observable types.

  • Source: select one or more options in this category to view entities and observables ingested from specific data sources, that is, incoming feeds and enrichers.

    • Missing source:select this checkbox to view entities and observables that are not associated with any data source.

  • TLP: select one or more options in this category to view entities flagged with the specified TLP color codes.
    For example, you can use this filter to include in the resulting graph view only entities flagged as reserved, or that require immediate action.

    • Missing TLP: select this checkbox to view entities with no TLP flag.

  • Source reliability: select one or more options in this category to view entities and observables flagged with the specified source reliability value.
    For example, you can use this filter to include in the resulting graph view only entities and observables originating from trustworthy data sources.

    • Missing source reliability: select this checkbox to view entities and observables that are not associated with any data source.

  • Confidence: select one or more options in this category to view entities and observables flagged with the specified level of confidence; it flags the estimated level of confidence to assess the accuracy and trustworthiness of the entity information.

    • Missing confidence: select this checkbox to view entities whose confidence level is not set.

  • Observable classification: select one or more options in this category to view observables flagged with the specified level of maliciousness.
    For example, you can use this filter to include in the resulting graph view only observable flagged as Bad.

    • Missing observable classification: select this checkbox to view entities and observables whose maliciousness confidence level is not set.

    • Bad: select this checkbox to view observables whose maliciousness confidence level is set to Malicious - High confidence, Malicious - Medium confidence, or Malicious - Low confidence.

    • Good: select this checkbox to view observables marked as Safe.

  • Tags: select one or more options in this category to view entities flagged with the specified tags.
    For example, you can use this filter to include in the resulting graph view only entities with specific Admiralty codes or kill chain values.

    • Without tags: select this checkbox to view untagged entities.

  • Maliciousness: Filters objects on the current view by maliciousness classification.