View Investigation Map and Overview

The Investigation Map shows a graphical representation of the searched term. This topic describes the Map and the Overview panel.

The explanation that follows is based on the following example:

temporary placeholder

In addition to the searched indicator, other first-generation indicators are shown in the Map view. The Overview shows information related to the selected indicator. When you select a different indicator, the Overview information will change.

As the legend explains, indicators marked with a red exclamation point temporary placeholder are IOCs.

If an indicator is red, it is malicious, that is, a threat actor, malware, or campaign.

If an indicator is white, it is on a whitelist.

If an indicator is marked with the black triangle temporary placeholder, it has a related alert. You can jump to the alert from its link in the Overview panel.

To hide the legend, click Show Legend.

You can toggle whether to show the legend and also the node titles.

You can use the Map view and the Overview to get the following investigation information:

AreaSectionItemGraphic depictionDescription
MapASearched termThe largest circleThe searched term in our example is the domain,
BRelated itemA linked, grey circleA linked IP address, with an attachment (either a document or a note) and a tag temporary placeholder.

Some IOCs will show how they are related to others, similar to this:

temporary placeholder

The relationships include: Downloaded from, Contains reference to, Resolved to and others. Click the relationship text for more information.
CRelated itemA linked, red circleA malicious malware,testliav.
DRelated itemA linked, grey circleA grouped entity, with over 20 file hashes. 1 of those file hashes is an IOC. For actions you can perform on grouped nodes, see Grouped nodes.
OverviewEMenu bartemporary placeholder- Display the text-only Overview, described below.
- Display attached tags.
- Display the Timeline, that lists all events related to the indicator.
 - Display the Attachments & Notes section to add or view attachments and notes to the indicator.
FOverviewText-only top sectionSee data from the Threat Intelligence feed and Threat Command enrichment data (if available):
- The identification of the searched item, its Threat Command severity, and whether it has been whitelisted. You can change its whitelist status and hover the "?" to see why it was whitelisted.
- First date and last date the item was reported.
- State: active or retired.
- Geolocation (for IP addresses only).
- Reporting feeds where the item was found.
- The policy (if applicable) that reported the item.
- Related items, such as malware, threat actors, or campaigns, as well as Threat Command alerts, if any. You can click any of these to see more information, or to see them in the Threat Command Threat Library
GIntelliFindGraphSee IntelliFind mentions, over time. Click the number of mentions to go to IntelliFind.

Change an IOC severity

IOC default severity is determined by its source. You can manually change the severity.

To manually change the severity of an IOC:

  1. From theOverview section of the Investigation  page, select the IOC Severity.
  2. From the drop-down arrow, select a new severity.
    The severity is updated.

You can further enhance the Map view with the following actions:

To perform this actionDo this
Rearrange indicators for easier viewingDrag the indicators to another area in the Map.
See an example in the screenshot in Grouped nodes.
Filter the graphic display by specific threat typesClick an indicator icon to hide all of that indicator type in the display. In a busy graph, you can use this feature to focus on one type at a time.
Change an indicator's whitelist statusClick an indicator, then click temporary placeholder .

temporary placeholder
This toggles whether the indicator is on or off the whitelist. The new status is displayed in theOverview.
Add an IOC to Remediation BlocklistClick an IOC, then click temporary placeholder. This toggles whether the IOC is in or not in the Remediation Blocklist.
Reinvestigate a previous searchClick History from the search bar.
Maximize the graphic displayClick the maximize icon.
Start a new investigation for any linkClick the link name.
Increase or decrease the scalingClick temporary placeholder or roll the mouse wheel.

You can rearrange indicators for easier viewing. This is described in the following section.

Grouped nodes

When there is more than one indicator of the same type, they are displayed as one node group, with the amount of grouped links indicated.

When you hover over the node, the separate links are displayed in a group box.

In the group box, IOCs are indicated by a red icon to their left.

The following illustration shows how you can ungroup a single indicator from a grouped node:

temporary placeholder

You can ungroup some or all of the links, as described in the following table:

To perform this actionDo this
View a node’s next level linksSelect the node, then click expand temporary placeholder.
Ungroup a single linkSelect the node, then click ungroup temporary placeholder on any of its links.
Ungroup all of a node's links (limited to 20 nodes).Select the node, then click Ungroup All. The graphic representation shows all the ungrouped links as single branches.
Download a CSV of grouped indicatorsClick Export All.

Tip: For searched items with many links, it is recommended to expand the linked threats data, and work from that view.


Indicator tags are used to group like tags together. The system generates tags and users can add their own, too.

If an IOC is related to MITRE ATT&CK techniques or Cyber Kill Chain phases, those are shown as system tags.

You can add tags to indicators, for example, to group common indicators and to subsequently search for those groups.

System-generated tags (green) cannot be removed, whereas user-generated (blue) tags can be added or removed.

To view tags:

  1. From the Investigation map, select an indicator.
  2. Click temporary placeholder.
    The Tags panel displays the user and system tags.
    If there are MITRE ATT&CK or Cyber Kill Chain tags, you can view the exact tags or see them within the full attack framework:
    temporary placeholder

To add (or remove) tags:

  1. Select an indicator, then click temporary placeholder.
  2. To add a new tag, click temporary placeholder, type the name of the tag to add, then press Enter.  
    The tag icon temporary placeholder is added to the indicator on the map. The tag will remain with the indicator, so it will be there in future investigations.
  3. To remove a tag, click x in the tag temporary placeholder.
    The tag is removed from the indicator.

To search for indicators with a shared tag:

  1. From the main menu, select TIP > Investigation.
  2. In the search field, select Tag.
  3. Type a tag name, then press Enter. You can search for system-generated or user-added tags.
    All indicators with the searched tag are displayed. You can investigate an indicator by clicking it, and you can delete existing and add additional tags.

View IOC timeline events

The IOC timeline shows system and user IOC events and related Threat Command threat activity. You can filter to show events within a specified time range or whether they are user or system events.

To see the IOC events:

  • Select an indicator, then click temporary placeholder.
    The indicator's timeline is displayed in the Timeline panel:
    temporary placeholder

To filter the IOC events:

  1. From the IOC timeline, click the filter icon temporary placeholder.
    You can filter for events within a date range and events initiated by the system or a user.
  2. Click the filter buttons and select the events desired.

Attachments and notes

You can attach documents and notes to indicators for your own, internal needs. These attachments, when added to cyberterms, will show in the Threat Library, too, thus turning it into your internal knowledgebase of threat information.

You can attach documents of the following types: PDF, CSV, DOC, DOCX, PNG, TXT, JPEG, JPG, MSG, and EML.

To attach attachments and notes:

  1. Select an indicator, then click temporary placeholder
    The IOC attachments are displayed in the Attachments & notes panel.
  2. To add an attachment or a note, click Add Attachment or Note.
  3. You can type a note and select an attachment.
  4. Click Save.
    The attachment or note icon temporary placeholder is added to the indicator on the map.

Export the Map view

You can export the Map view to a PDF that includes everything displayed in the view.

To export the Map view to a PDF:

  • Arrange the map as you want, then click Export Map.

Overview panel

The Overview panel shows historical information from the Threat Command Threat Intelligence feed . If the selected indicator was the searched indicator, and that indicator is also an IOC then Threat Command enrichment data is also shown.

The data presented for the selected indicator differs depending on what was investigated. The following sections are displayed for malware:

  • Overview
    Raw and enhanced data about the searched term
    • Type
      The specific type of IOC.
    • Nationality
      The geographic location where the malware originated.
    • Targeted states
      In campaigns, which countries were targeted by the campaign.
    • Targeted sectors
      In campaigns, which sectors were targeted.
    • Functions
      What the malware can do.
  • Activity (only for a searched IP address or domain)
    Last date that the IP address or domain was resolved, and what those resolutions were
  • Linked threats
    Full list of related IOCs. (The graphical representation is limited to 1000 links per searched item.) The following statistics indicate where there may be any sort of relationship with the searched IOC. Statistics are shown for level I relationships only.
    • Related threat actors
    • Related campaigns
    • Related domains
    • Related IP addresses
    • Related hashes
    • Related URLs

For CVEs, the following relevant data is displayed:

  • CVE ID
  • Severity and Rapid7 score
  • NVD published date
  • First and last seen (if the CVE is from Rapid7 feeds)
  • Reported feeds
  • Product and vendor
  • Label (exploit or trending)
  • Related cyberterms

For more explanation of these terms, see Manage Vulnerabilities.