Perform Action on Multiple Nodes
Notice
This feature is available in Intel Exchange v3.7.5.0 onwards.
You can perform a single action on multiple nodes at once in the Threat Investigation Canvas. This allows you to efficiently apply tags, update attributes, initiate workflows, or enrich threat intelligence across the selected nodes.
Note
Ingestion of the node is mandatory to perform an action on multiple nodes.
Steps
To perform an action on multiple nodes, follow these steps:
Go to Main Menu > Threat Investigations.
Open the investigation where you want to perform the action.
In the canvas, select the nodes using either direct clicks or by drawing a rectangular selection around the nodes.
Note
You can select:
Up to 10 indicator nodes for action like enrichment.
Up to 100 nodes of non-indicator types for other supported actions.
From the drop-down, choose one of the following actions:
Action
Description
Supported SDOs
Add Tag
Apply one or more tags to the selected nodes. You can add up to 100 tags
All SDOs
Add Analyst Score
Assign an analyst score to the nodes
All SDOs except for vulnerability
Update Analyst TLP
Set the TLP marking on all selected nodes
All SDOs
Manual Review
Mark nodes for analyst review
All SDOs
Mark as Reviewed
Confirm nodes as reviewed
All SDOs
Add to Indicators Allowed
Add indicators to the trusted list
Indicator
Add to Watchlist
Add observables to the watchlist
All SDOs
Deprecate
Mark nodes as deprecated
Indicator
Undeprecate
Remove deprecated status
Indicator
False Positive
Mark observables as false positives
Indicator
New Task
Create a task linked to the selected nodes
All SDOs
Create CFTR Incident
Open a CFTR incident linked to the selected node
Indicator and Report
Run Rule
Execute an automation rule
All SDOs
Enrich
Perform enrichment using the available tools. For more information, see Enrich the Nodes.
Indicator and Vulnerability
Analyze Relations using CTIX
Visualize relationships between selected nodes. For more information, see Analyze Relations Using CTIX.
All SDOs
Delete Node
Permanently remove nodes from the canvas
All SDOs
Umark False Positive
Remove the false positive label from the selected observables
Indicator
Remove Tags
Detach one or more tags from the selected nodes. You can remove up to 50 tags
All SDOs
Remove from Indicators Allowed
Remove indicators from the trusted list
Indicator
Remove from Watchlist
Remove observables from the watchlist
All SDOs
Add CVSS Score
Assign a CVSS score to the selected nodes
Vulnerabilty
Note
ActionAvailability
The actions displayed in the drop-down menu depend on the selected node types. If your selection includes different types of SDOs, only the actions supported by all selected SDO types are displayed.