Analyze entities in a graph#
You can load entities in the graph to analyze them, explore relationships, and map the context around potential threats.
Join the dots to build a hypothesis#
When you load entities and observables in the graph to analyze them, you are weaving a story to describe the threat scenario under investigation.
A good story needs villains. The cyber crime line of business appeals to a wide range of such characters. Villains have motives and goals they want to achieve.
To attain them, they engage in actions and behaviors that usually damage a third party. Enter the victim.
The outcome of the villain’s tactics, techniques, and procedures to produce the intended effects may be beneficial for the villain and detrimental for the victim.
Now you have the basic elements to build a consistent narrative for a threat scenario:
Threat actors apply TTPs to hit a targeted victim, so that they can achieve their intended effects.
The actors may leverage existing exploit targets to carry out a series of attacks. Their malicious activities may leave some traces.
An analyst on the victim’s side may pick up on those traces and report them to alert the organization.
Following up on the report, another analyst may detect them in a log file. However, before the victim can react with appropriate measures and procedures, a security breach occurs.
In most real-life cases, the script that builds the narrative of a threat scenario is fragmented and scattered: you have only a few pieces of the puzzle, and a couple of them possibly belong to a different puzzle altogether.
The graph canvas is the stage where you analyze, reorganize, restructure, assess, test alternatives, and ultimately position all the pieces in place to produce a factual and consistent narrative that can answer these basic questions:
What happened?
When did it happen?
Where did it happen?
Why did it happen?
Who did it?
Why did they do it?
Discover connections between nodes#
CTRL + click two nodes in the graph to select them.
Right-click either of the selected nodes.
From the context menu, select Find path or Show path.
If a path does exist, the selected nodes and all the intermediate ones are highlighted in the graph to show the path that links them.
Find path: queries the graph server to ask if there is a connection between the two selected nodes in the graph.
If a connection does exist, the command loads any intermediate nodes, and then it highlights the connecting path.
It differs from Show path because it first checks the existence of the path in the graph database.
Show path: highlights the shortest relationship path linking two nodes loaded in the graph.
It differs from Find path because it does not check the existence of a path; it simply highlights the shortest path, if it exists in the graph.
Add entities to a dataset#
You can optionally assign entities to an existing workspace. This option only applies to entities, not observables.
Right-click on the node you want to add to a dataset, or select multiple nodes and right-click on one of them.
From the context menu, select Add to dataset.
A pop-up is displayed.
From the Workspace drop-down menu, select a workspace.
If the workspace already contains a dataset, you can select this dataset from the Dataset drop-down menu.
If the workspace does not contain a dataset, the Dataset field is automatically set to Create new dataset, and in the New dataset name field, you can fill in a name for the new dataset.
Click Add to dataset.
Create user tasks around entities#
You can create an actionable task related to selected entities.
You can then assign the task to a user, and to one or more stakeholders.
Right-click on the node you want to add to a dataset, or select multiple nodes and right-click on one of them.
From the context menu, select Create task.
A pop-up is displayed.
In the Name field, fill in a name for the task.
In the Description field, fill in a description or add additional information.
From the Assigned to drop-down, select the person you want to set this task to, and click Assign.
From the Due date drop-down calendar, select a due date.
In the bottom-left corner, you can click Show options to assign the task to a specific workspace.
Click Save.
Group entities#
CTRL + click the nodes in the graph you want to group together.
Right-click any of the selected nodes.
From the context menu, select Group.
The selected entities are grouped together.
This action provides a cleaner view of the graph.
Ungroup entities#
Right-click on a created entity group.
From the context menu, select Ungroup.
The selected entities return to their original position as separate nodes in the graph.