Skip to main content

Cyware Threat Intelligence eXchange

Perform Action on Multiple Nodes

Notice

This feature is available in Intel Exchange v3.7.5.0 onwards.

You can perform a single action on multiple nodes at once in the Threat Investigation Canvas. This allows you to efficiently apply tags, update attributes, initiate workflows, or enrich threat intelligence across the selected nodes.

Note

Ingestion of the node is mandatory to perform an action on multiple nodes.

Steps

To perform an action on multiple nodes, follow these steps:

  1. Go to Main Menu > Threat Investigations.

  2. Open the investigation where you want to perform the action.

  3. In the canvas, select the nodes using either direct clicks or by drawing a rectangular selection around the nodes.

    Note

    You can select:

    • Up to 10 indicator nodes for action like enrichment.

    • Up to 100 nodes of non-indicator types for other supported actions.

  4. From the drop-down, choose one of the following actions:

    Action

    Description

    Supported SDOs

    Add Tag

    Apply one or more tags to the selected nodes. You can add up to 100 tags

    All SDOs

    Add Analyst Score

    Assign an analyst score to the nodes

    All SDOs except for vulnerability

    Update Analyst TLP

    Set the TLP marking on all selected nodes

    All SDOs

    Manual Review

    Mark nodes for analyst review

    All SDOs

    Mark as Reviewed

    Confirm nodes as reviewed

    All SDOs

    Add to Indicators Allowed

    Add indicators to the trusted list

    Indicator

    Add to Watchlist

    Add observables to the watchlist

    All SDOs

    Deprecate

    Mark nodes as deprecated

    Indicator

    Undeprecate

    Remove deprecated status

    Indicator

    False Positive

    Mark observables as false positives

    Indicator

    New Task

    Create a task linked to the selected nodes

    All SDOs

    Create CFTR Incident

    Open a CFTR incident linked to the selected node

    Indicator and Report 

    Run Rule

    Execute an automation rule

    All SDOs

    Enrich

    Perform enrichment using the available tools. For more information, see Enrich the Nodes.

    Indicator and Vulnerability

    Analyze Relations using CTIX

    Visualize relationships between selected nodes. For more information, see Analyze Relations Using CTIX.

    All SDOs

    Delete Node

    Permanently remove nodes from the canvas

    All SDOs

    Umark False Positive

    Remove the false positive label from the selected observables

    Indicator

    Remove Tags

    Detach one or more tags from the selected nodes. You can remove up to 50 tags

    All SDOs

    Remove from Indicators Allowed

    Remove indicators from the trusted list

    Indicator

    Remove from Watchlist

    Remove observables from the watchlist

    All SDOs

    Add CVSS Score

    Assign a CVSS score to the selected nodes

    Vulnerabilty

Note

ActionAvailability

The actions displayed in the drop-down menu depend on the selected node types. If your selection includes different types of SDOs, only the actions supported by all selected SDO types are displayed.