Skip to main content

Cyware Threat Intelligence eXchange

Perform Action on Multiple Nodes

Note

This feature is available in Intel Exchange v3.7.5.0 (EA) onwards.

You can perform a single action on multiple nodes at once in the Threat Investigation Canvas. This allows you to efficiently apply tags, update attributes, initiate workflows, or enrich threat intelligence across the selected nodes.

Note

Ingestion of the node is mandatory to perform an action on multiple nodes.

Steps 

To perform an action on multiple nodes, follow these steps:

  1. Go to Main Menu > Threat Investigations.

  2. Open the investigation where you want to perform the action.

  3. In the canvas, select the nodes using either direct clicks or by drawing a rectangular selection around the nodes.

    Note

    You can select:

    • Up to 10 indicator nodes for action like enrichment.

    • Up to 100 nodes of non-indicator types for other supported actions.

  4. From the drop-down, choose one of the following actions:

Action

Description

Supported SDOs

Add Tag

Apply one or more tags to the selected nodes. You can add up to 100 tags

All SDOs

Add Analyst Score

Assign an analyst score to the nodes

All SDOs except for vulnerability

Update Analyst TLP

Set the TLP marking on all selected nodes

All SDOs

Manual Review

Mark nodes for analyst review

All SDOs

Mark as Reviewed

Confirm nodes as reviewed

All SDOs

Add to Indicators Allowed

Add indicators to the trusted list

Indicator

Add to Watchlist

Add observables to the watchlist

All SDOs

Deprecate

Mark nodes as deprecated

Indicator

Undeprecate

Remove deprecated status

Indicator

False Positive

Mark observables as false positives

Indicator

New Task

Create a task linked to the selected nodes

All SDOs

Create CFTR Incident

Open a CFTR incident linked to the selected node

Indicator and Report 

Run Rule

Execute an automation rule

All SDOs

Enrich

Perform enrichment using the available tools. For more information, see Enrich the Nodes.

Indicator and Vulnerability

Analyze Relations using CTIX

Visualize relationships between selected nodes. For more information, see Analyze Relations Using CTIX.

All SDOs

Delete Node

Permanently remove nodes from the canvas

All SDOs

Umark False Positive

Remove the false positive label from the selected observables

Indicator

Remove Tags

Detach one or more tags from the selected nodes. You can remove up to 50 tags

All SDOs

Remove from Indicators Allowed

Remove indicators from the trusted list

Indicator

Remove from Watchlist

Remove observables from the watchlist

All SDOs

Add CVSS Score

Assign a CVSS score to the selected nodes

Vulnerabilty

Note

Action Availability

The actions displayed in the drop-down menu depend on the selected node types. If your selection includes different types of SDOs, only the actions supported by all selected SDO types are displayed.