Create Threat Investigations Canvas
You can create a new canvas and plot threat data objects, providing threat analysis to correlate contextual understanding gathered from complex threat intelligence data.
Before you Start
Ensure that you have Create, View & Update Threat Investigations permissions.
Steps
To create a new threat investigation canvas, follow these steps:
Go to Main Menu > Analysis > Threat Investigations and click Create New.
Enter a unique title for the canvas within 100 characters that identifies the purpose of the canvas, for example, Indicator Analysis, and click Add. You can view the canvas.
Click Add Node icon on the left. You can view the Indicator, Domain Objects, and Observables.
Select an object type that you need for your investigation or drag it to the canvas. All the SDOs in the Threat Data module are supported. For example, Email Address
Enter the value of the object. For example john.doe@mail.com.
If a value is displayed in the field below the indicator being added indicates that the Intel Exchange already has a record of the indicator or SDO. If the value is not displayed, that indicates Intel Exchange has no record of the indicator or SDO.
Select a node and drag the + icon to another node to add a relationship between the nodes. You can draw one-to-many or many-to-one relations to different nodes.
Select the relationship type and enter the following details:
Description: Enter the description that describes the key characteristics of the relationship.
Start Time: Select the timestamp that indicates the start of the relationship between two objects from the specified date.
End Time: Select the timestamp that indicates the end of the relationship between two objects from the specified date.
Intel Exchange supports all the relationship types in compliance with the STIX 2.1 standards.
Click Save.
You can view the plotted threat data objects and the specified relationship between nodes in the canvas.