Perform Action on Multiple Nodes
Note
This feature is available in Intel Exchange v3.7.5.0 (EA) onwards.
You can perform a single action on multiple nodes at once in the Threat Investigation Canvas. This allows you to efficiently apply tags, update attributes, initiate workflows, or enrich threat intelligence across the selected nodes.
Note
Ingestion of the node is mandatory to perform an action on multiple nodes.
Steps
To perform an action on multiple nodes, follow these steps:
Go to Main Menu > Threat Investigations.
Open the investigation where you want to perform the action.
In the canvas, select the nodes using either direct clicks or by drawing a rectangular selection around the nodes.
Note
You can select:
Up to 10 indicator nodes for action like enrichment.
Up to 100 nodes of non-indicator types for other supported actions.
From the drop-down, choose one of the following actions:
Action | Description | Supported SDOs |
|---|---|---|
Add Tag | Apply one or more tags to the selected nodes. You can add up to 100 tags | All SDOs |
Add Analyst Score | Assign an analyst score to the nodes | All SDOs except for vulnerability |
Update Analyst TLP | Set the TLP marking on all selected nodes | All SDOs |
Manual Review | Mark nodes for analyst review | All SDOs |
Mark as Reviewed | Confirm nodes as reviewed | All SDOs |
Add to Indicators Allowed | Add indicators to the trusted list | Indicator |
Add to Watchlist | Add observables to the watchlist | All SDOs |
Deprecate | Mark nodes as deprecated | Indicator |
Undeprecate | Remove deprecated status | Indicator |
False Positive | Mark observables as false positives | Indicator |
New Task | Create a task linked to the selected nodes | All SDOs |
Create CFTR Incident | Open a CFTR incident linked to the selected node | Indicator and Report |
Run Rule | Execute an automation rule | All SDOs |
Enrich | Perform enrichment using the available tools. For more information, see Enrich the Nodes. | Indicator and Vulnerability |
Analyze Relations using CTIX | Visualize relationships between selected nodes. For more information, see Analyze Relations Using CTIX. | All SDOs |
Delete Node | Permanently remove nodes from the canvas | All SDOs |
Umark False Positive | Remove the false positive label from the selected observables | Indicator |
Remove Tags | Detach one or more tags from the selected nodes. You can remove up to 50 tags | All SDOs |
Remove from Indicators Allowed | Remove indicators from the trusted list | Indicator |
Remove from Watchlist | Remove observables from the watchlist | All SDOs |
Add CVSS Score | Assign a CVSS score to the selected nodes | Vulnerabilty |
Note
Action Availability
The actions displayed in the drop-down menu depend on the selected node types. If your selection includes different types of SDOs, only the actions supported by all selected SDO types are displayed.