Create Threat Investigations Canvas
You can create a new canvas and plot threat data objects, providing threat analysis to correlate contextual understanding gathered from complex threat intelligence data.
Before you Start
Ensure that you have Create, View & Update Threat Investigations permissions.
Steps
To create a new threat investigation canvas, follow these steps:
Go to Main Menu > Analysis > Threat Investigations and click Create New.
Enter a unique title for the canvas within 100 characters that identifies the purpose of the canvas, for example, Indicator Analysis, and click Add. You can view the canvas.
Click Add Node icon on the left. You can view the Indicator, Domain Objects, and Observables.
Select an object type that you need for your investigation or drag it to the canvas. All the SDOs in the Threat Data module are supported. For example, Email Address
Enter the value of the object. For example john.doe@mail.com.
If a value is displayed in the field below the indicator being added indicates that the Intel Exchange already has a record of the indicator or SDO. If the value is not displayed, that indicates Intel Exchange has no record of the indicator or SDO.
Select a node and drag the + icon to another node to add a relationship between the nodes. You can draw one-to-many or many-to-one relations to different nodes. Once a relationship is established, clicking on the relation name allows you to edit or add details about the threat objects.
Fill in the Relation Details:
Relation Type: Select the type of relationship that exists between the two threat data objects.
Relationship Confidence: Indicate the confidence level of the relationship based on the analysis.
Created by Reference: Specify the reference that identifies the creator or source of the relationship.
Start Date: Select the timestamp representing when the relationship between the two objects began.
End Date: Select the timestamp representing when the relationship between the two objects ended.
Reason: Provide a brief explanation or rationale for establishing the relationship.
Intel Exchange supports all the relationship types in compliance with the STIX 2.1 standards.
Click Save.
You can view the plotted threat data objects and the specified relationship between nodes in the canvas.