Connect the Dots
Connect the Dots helps you gather contextual information about an incident, enabling you to understand complex threat situations, identify possible attacker trajectories, and uncover hidden threat patterns. For example, in a phishing incident, Connect the Dots enables you to connect related IPs, malware, and threat actors, that quickly provide the context needed to identify the root cause and respond effectively.
You can connect the following types of entities to the incident using Connect the Dots:
Components: This includes the threat data modules present in Respond . For example, Campaigns, Threat Actors, Malware, Vulnerabilities, and more. For more information, see Fusion.
Threat Intel: This includes various indicators of compromise (IOCs) such as IP addresses, domains, URLs, and more. For more information, see Threat Intel.
Connect Components and Threat Intel
To connect components and threat intel to the incident, follow these steps:
Go to Menu > Incidents, and open an incident.
Go to Connect the Dots tab. You can view all the connections related to the incident.
To connect components and threat intel, click Add Connection.
Components: Choose the component type and select related components.
Suggested: Select components related to the incident from the displayed AI assist suggestions. This helps you to connect the dots effectively and investigate the incident. Click Refresh to retrieve new component suggestions from AI assist. indicates that AI-generated suggestions are available within that component.
Note
Ensure AI Assist is enabled by your administrator. For more information, see Enable AI Assist.
All: Select from all components available in Respond.
Threat Intel: Select Threat Intel and choose an indicator type. For example, URL. Enter the indicator details. For example, https://www.sampledomain.com. You can enter multiple indicators in new lines.
Note
To prevent unintended opening of malicious indicators, defang indicators and then add them. For example, hxxps[:]//www[.]sampledomain[.]com. To know more about how to defang indicators, see Fang-Defang.
You can add threat intel in two ways:
Add Manually: Add threat intel manually such as IP addresses, domains, URLs, and more.
Add via CTIX: Select threat intel from Intel Exchange. To access threat intel enriched by Intel Exchange, ensure that your administrator has enabled the Intel Exchange integration in Admin > Basic Configurations > Integration.
Note
Ensure the indicator types of Respond and Intel Exchange objects are mapped correctly by your administrator. Otherwise, the connected indicators will not appear under the appropriate indicator type in Threat Intel. For more information, see Integrate CTIX.
Click Connect.
View Details of Components and Threat Intel
To view the details of components and threat intel from Intel Exchange, in the visualizer, right-click on the component or threat intel and click View Details.
Notice
This feature is available from Respond v3.4.2 onwards.
Note
Ensure that your administrator has enabled the Intel Exchange integration in Admin > Basic Configurations > Integration.
You must be a user in Intel Exchange to view the details of components and threat intel.
The details include the following tabs:
Basic Details: View the details such as Confidence Score, Description, Type, TLP, and more of the component or threat intel. To view additional details, click View Additional Details. For more information, see View Threat Data Object Details.
Relations: View the relations that the component or indicator has with any other objects. You can search or filter the relations based on the Relationship Type. You can view the relations in the following views:
Visualizer: You can visualize the relationships of the component or threat intel through a graphical representation that shows its related objects. Click to change the layout of the visualizer. The supported layouts are Organic, Sequential, Tweak, Lens, Standard, and Hierarchy.
Table: You can view the details of the related object such as Type, Sub-type, Value, Relationship Type, Created on, and Modified on.
To view the details in Intel Exchange, click Open in CTIX. You will be redirected to the Overview tab of component or threat intel.
If the details of a component or threat intel are unavailable, click Add to CTIX. The component or threat intel will be added to Intel Exchange and the details will be retrieved from Intel Exchange. A report is created in Intel Exchange with the component or threat intel as relationships of the report object.
Supported Views in Connect the Dots
The following are the types of views in Connect the Dots:
In the card view, you can view components and threat intel in two cards. You can perform the following operations in the card view:
View and connect components and threat intel related to the incident. Threat intel added from Intel Exchange are marked with the View on CTIX. Click View on CTIX to view the details of the indicator.
Note
To view the details in Intel Exchange, you must be a user in Intel Exchange with the same email ID.
Click Export to export all the components and threat intel connected to the incident. You can export in XLS, XLSX, HTML, and JSON formats. Additionally, you can export threat intel in XML format.
To view the details of components and threat intel connected to the incident, hover over the component or threat intel, and click View Details. For more information, see View Details of Components and Threat Intel .
In the table view, you can view details such as the title and ID of the component, type of threat intel, created by, created date, and more. This view also enables you to search, filter, and sort threat intel and components as required.
You can perform the following operations in the table view:
View and connect components and threat intel. In the table view, threat intel added from Intel Exchange is marked with the View on CTIX icon. Clicking View on CTIX enables you to view the details of the indicator in Intel Exchange.
Note
To view the threat data in Intel Exchange, you must be configured as a user of Intel Exchange with the same email ID.
To view the details of components and threat intel connected to the incident, hover over the component or threat intel, and select View Details. For more information, see View Details of Components and Threat Intel .
Click Export to export all the components and threat intel connected to the incident. You can export it in XLS, XLSX, HTML, and JSON formats. Additionally, you can also export threat intel in XML format.
Select one or more components to remove connections and add notes to them. To add actions, and labels, and update the status of the components, click More.
Select one or more threat intel to add notes and actions. To update fields or the status of the threat intel, click More.
In Visualizer, components and threat intel connected to the incident are visually represented. This aids in drawing contextual information by visualizing connections between the incident and associated components and indicators.
You can perform the following operations in the Visualizer:
Search for components and threat intel within the visualizer. Click Add Connections to connect components and threat intel to the incident.
Click to group similar components and threat intel types connected to the incident. Click to ungroup them.
Change the visualizer view of Connect the Dots. The following are the two types of views:
Click to view the connections in their free form with no structure.
Click to view the hierarchy of the connections, where the incident is at the top and its connections are structured below.
Click to view the summary and breakdown of the connections. Click to show or hide the nodes and groups.
Click ID or Title, to view IDs or titles of the connected components and threat intel in the visualizer.
Click Export Canvas, to export components and threat intel connected to the incident in PNG, SVG, and JPEG formats.
Double-click the component, threat intel, or incident to perform the following:
Expand Associations: You can expand the connections by clicking Expand Associations.
Add Connections: Add connections to the incident, component, or threat intel.
View Details: You can view the details of threat intel and components retrieved from Intel Exchange. For more information, see View Details of Components and Threat Intel .